How can we support two metadata providers for the same IdP in the Metadata Manager?

Question

We have an application that is activating as the Service Provider. We allow customers to configure their IdP metadata fields in our system or upload a metadata file. We run into an issue when two customers try to configure the same IdP metadata in our system as the CachingMetadataManager will have a conflict on the caching map key (the IdP entity ID).

What is the best way to support this requirement as we are preparing for the case where customer 1 adds IdP metadata to our system for IdP X (such as SSO circle) and then customer 2 adds a slightly different (for whatever reason) IdP metadata to our system for the same IdP X.

We realize that the IdP metadata should generally be exactly the same for both customers but in some case where they are different, is this supported somehow in the Spring Security SAML library?

Thanks

Answer 1

Please refer to the solution I posted here - Just keep entityIds unique for each IdP's metadata

Spring SAML extension for multiple IDP'S

Answer 2

Spring SAML doesn't support importing metadata with the same entity ID multiple times (it has only partial support for multi-tenancy). Such use-case would require customization of the Spring SAML library.

Changing metadata's entity ID to a unique value would break checks performed during single sign-on - the value must be the same as used by IDP when issuing SAML assertions.

In case you'd like help implementing such solution, feel free to contact Spring SAML's commercial support.

Answer 3

You can add as many IDPs in CachingMetadataManager but in the IDP.xml the entityID value must be unique. So keep the IDP.xml identical per your requirement and change whatever needed and update entityID to unique value