Describe the bug Unable to generate service provider metadata file using http://localhost:8091/saml2/service-provider-metadata/keycloak its redirecting to http://localhost:8091/saml2/authenticate?registrationId=keycloak
To Reproduce Here is the sample repo https://github.com/nmanthena18/auth
Expected behavior It should generate metadata file.
Sample
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Comment From: jzheaux
Hi, @nmanthena18, sorry that you are having trouble.
I am able to reproduce the behavior. What is happening is there is an error in your configuration and so the application forwards to Boot's /error endpoint. However, this endpoint is not permitted in your configuration.
When I added /error to your permitAll() list, then the browser revealed the underlying error:
There was an unexpected error (type=Internal Server Error, status=500).
java.lang.IllegalArgumentException: Failed to resolve any signing credential
Note that this exception was also available the logs, at least for me:
2025-02-03T14:59:17.536-07:00 ERROR 3211756 --- [auth] [nio-8091-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.saml2.Saml2Exception: java.lang.IllegalArgumentException: Failed to resolve any signing credential
at org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4Template$OpenSaml4SignatureConfigurer.resolveSigningParameters(OpenSaml4Template.java:293) ~[spring-security-saml2-service-provider-6.4.2.jar:6.4.2]
...
I believe this is because your RelyingPartyRegistration declared in SecurityConfig doesn't have any configured signing keys. Though they are declared in your application.properties, because you are constructing your own RelyingPartyRegistration, you'll need to set those values yourself.
That said, I'm not sure why you are declaring one. It's possible it's because you've simplified the application, so I'm not seeing any custom settings. FWIW, when I remove the RelyingPartyRegistrationRepository @Bean declaration, it appears to redirect to the IdP without an issue.
In case you do need to declare your own RelyingPartyRegistrationRepository bean, consider taking a look at this sample for a way to import the private key and certificate into your configuration.
The last thing I'll mention is that the metadata endpoint needs to be configured, which you can do by adding
.saml2Metadata(withDefaults())
to your configuration.
At this point, I don't believe that there is a bug in Spring Security, so I'm going to close this. If you run into more trouble, please post a ticket to StackOverflow using the spring-security tag and paste the link to the question back here. Or, please feel free to log additional issues if you feel again that you've found a bug.