restore saml entity id alias#3966
Merged
Merged
Conversation
…a URL When login.entityID is a full URL (e.g. https://example.com/uaa) and login.saml.entityIDAlias is not set, UaaRelyingPartyRegistrationResolver derives the alias as the full URL while the repo derives it as just the hostname. The resulting endsWith mismatch causes the resolver to fall through to DefaultRelyingPartyRegistrationRepository (stub cert), which cannot validate the IdP-signed assertion → redirect to /saml_error. Adds IdpInitiatedSsoWithUrlEntityIdTests to SamlAuthenticationMockMvcTests and a responseWithAssertionsForDestination helper to Saml2TestUtils. The new test intentionally fails until the fix is applied.
…yID is a URL When login.entityID is a full URL and login.saml.entityIDAlias is not configured, UaaRelyingPartyRegistrationResolver was using the full URL as the alias fallback while SamlRelyingPartyRegistrationRepositoryConfig (the repo) was already extracting just the hostname via UaaStringUtils.getHostIfArgIsURL(). This mismatch caused the resolver's endsWith check to always fail for URL-form entity IDs, forcing the fallback to DefaultRelyingPartyRegistrationRepository (stub cert) → "Invalid signature" for IDP-initiated SSO. Fix: apply the same getHostIfArgIsURL derivation in the resolver bean so both code paths agree on the alias without requiring operators to explicitly set login.saml.entityIDAlias. Behaviour is unchanged when entityID is already a plain hostname (getHostIfArgIsURL returns it as-is). Partial fix introduced in b2e36ec ("Addressing issue #3661") which updated the repo but not the resolver.
Adds two new nested tests to SamlAuthenticationMockMvcTests that verify
IDP-initiated SSO works in non-default identity zones when login.entityID
is a plain string:
- idpInitiatedSso_subdomainZone_succeeds: zone resolved via Host header subdomain
- idpInitiatedSso_zonePathZone_succeeds: zone resolved via /z/{subdomain}/ path prefix
Both tests register a classpath-based test IdP (test-saml-idp-metadata-redirect-binding.xml)
with its entity ID explicitly stored in external_key — required because SamlIdentityProviderDefinition
classifies classpath: URLs as UNKNOWN type, preventing dynamic entity-ID resolution via
SamlIdentityProviderConfigurator.getExtendedMetadataDelegate. Setting idpEntityId before
create() causes JdbcIdentityProviderProvisioning to persist it as external_key, enabling
ConfiguratorRelyingPartyRegistrationRepository.getIdentityProviderDefinitionsForIssuer to
find the correct registration by issuer entity ID.
Also overloads createMockSamlIdpInSpZone to accept an optional idpEntityId parameter.
…up. It is not recoverable
strehle
approved these changes
Jun 29, 2026
duanemay
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The fix to #3661 was incomplete. It allowed the SP initiated authentication to work, but missing piece is IDP initiated authentication
The fix is server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java line 113. The rest of the PR is test cases and documentation.