SAML Auto-Discovery
SamlValidationService validates SAML assertions without manual certificate configuration. It discovers the IdP metadata URL, downloads the signing certificate, caches it, and verifies the XML signature before returning attributes.
Validation pipeline
Base64 decode the assertion and parse XML with XXE protections.
Extract
<Issuer>; reject if missing.Trust check:
saml.idp.trust-mode=whitelist(default): issuer must appear insaml.trusted.idp.saml.idp.trust-mode=any: accept any issuer with a valid signature.
Resolve metadata URL in this order:
saml.idp.metadata.override(issuer-specific override map),saml.idp.metadata.url(global override),assertion hints (
AuthnContext/AuthenticatingAuthority, thenExtensions/MetadataURL),fallback
<issuer>/metadata.
Validate metadata URL:
HTTPS required by default,
HTTP allowed only when
saml.metadata.allow-http=true,block loopback/private/link-local/cloud metadata targets.
Download metadata, select signing certificates from
KeyDescriptorand parse X.509 certs.Cache the certificate per issuer (ConcurrentHashMap). Cache is in-memory for the process lifetime;
clearCertificateCache()is available for tests/refresh.Verify
<ds:Signature>with the discovered certificate; reject missing or invalid signatures.Extract attributes (after signature verification):
userid(fallback toNameID),affiliation(required; fallback fromschacHomeOrganization),emailormail,displayName/cn, andschacHomeOrganization(multi-value list).Return attributes plus
issuerfor downstream services (SAML auth, institutional check-in, intents).
Configuration
Failure modes
Issuer not in whitelist (when enabled).
Metadata URL blocked (localhost/private/cloud metadata or invalid scheme).
No signing certificate in metadata.
Missing/invalid XML signature.
Missing required attributes (
userid/affiliation).
Where it is used
POST /auth/saml-authand/auth/saml-auth2(3-layer validation).POST /auth/checkin-institutional.Intent submission flow (
POST /intents) when SAML assertions are provided.
Last updated