Skip to content

Fix: skipSslValidation ignored when fetching SAML IDP metadata during login #3971

Open
duanemay wants to merge 2 commits into
developfrom
saml-skip-ssl-validation
Open

Fix: skipSslValidation ignored when fetching SAML IDP metadata during login #3971
duanemay wants to merge 2 commits into
developfrom
saml-skip-ssl-validation

Conversation

@duanemay

@duanemay duanemay commented Jul 2, 2026

Copy link
Copy Markdown
Member

Problem

SAML login fails with:

org.springframework.security.saml2.Saml2Exception: Unable to build SAML relying party
registration for:
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building
failed: unable to find valid certification path to requested target

...for SAML IDPs whose metadata endpoint uses a certificate the JVM's default trust
store doesn't trust (self-signed, internal CA, etc.) — even when the IDP is
configured with skipSslValidation: true.

Root cause

UAA has two separate SAML metadata-fetch code paths:

  • Admin validate path (SamlIdentityProviderConfigurator.configureURLMetadata
    FixedHttpMetaDataProvider) — correctly honors the per-IDP skipSslValidation flag
    and caches results.
  • Live login path (ConfiguratorRelyingPartyRegistrationRepository
    RelyingPartyRegistrationBuilder → Spring Security's
    RelyingPartyRegistrations.fromMetadataLocation()) — does a raw HttpsURLConnection
    fetch on every SSO redirect, using only the JVM's default trust store, and
    completely ignoring skipSslValidation.

This means an IDP can validate/save successfully in the admin UI/API but fail on every
actual login.

duanemay and others added 2 commits July 2, 2026 17:20
…ogin

The live SSO login path (ConfiguratorRelyingPartyRegistrationRepository /
SamlRelyingPartyRegistrationRepositoryConfig) built relying party
registrations by handing the IDP's metadata URL straight to Spring
Security's RelyingPartyRegistrations.fromMetadataLocation(), which fetches
over a raw HttpsURLConnection using only the JVM's default trust store.
That path completely ignored the per-IDP skipSslValidation flag, unlike
the admin validate path (SamlIdentityProviderConfigurator.configureURLMetadata),
which correctly honors it via FixedHttpMetaDataProvider. This let an IDP
validate/save successfully while every actual login failed with
SSLHandshakeException/PKIX path building errors whenever the IDP's
metadata endpoint used a certificate the JVM didn't trust.

Extract SamlIdentityProviderConfigurator.resolveMetadataXml(), which
fetches URL-type metadata through the same skipSslValidation-aware,
caching FixedHttpMetaDataProvider used for admin validation, and route
both the DB/API-managed and bootstrap-YAML login paths through it instead
of handing a raw URL to Spring Security. This also picks up
FixedHttpMetaDataProvider's cache, so login no longer performs a live
metadata fetch on every SSO redirect.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 2, 2026 22:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes SAML login failures for IDPs whose metadata URL uses an untrusted TLS certificate by ensuring the live login metadata fetch path honors the per-IDP skipSslValidation flag (reusing the same FixedHttpMetaDataProvider behavior as the admin validation path).

Changes:

  • Route relying-party registration building through SamlIdentityProviderConfigurator.resolveMetadataXml(...) so URL metadata is fetched with skipSslValidation support and then parsed as literal XML.
  • Refactor SamlIdentityProviderConfigurator to expose resolveMetadataXml(...) and reuse it for the URL-metadata path.
  • Add an HTTPS integration-style test that exercises a self-signed metadata endpoint and asserts login-path registration succeeds when skipSslValidation=true.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java Uses configurator metadata resolution so skip-SSL behavior is honored when building registrations.
server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java Introduces resolveMetadataXml(...) and reuses it for URL metadata handling.
server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ConfiguratorRelyingPartyRegistrationRepository.java Switches metadata input from raw location to resolved XML to avoid Spring’s direct URL fetch behavior.
server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ConfiguratorRelyingPartyRegistrationRepositoryTest.java Adds a test covering self-signed HTTPS metadata with skipSslValidation=true.

Comment on lines +161 to 165
public String resolveMetadataXml(SamlIdentityProviderDefinition def) {
if (def.getType() != SamlIdentityProviderDefinition.MetadataLocation.URL) {
return def.getMetaDataLocation();
}
try {
Comment on lines +395 to +398
// The metadata endpoint presents a self-signed cert the JVM does not trust.
// skipSslValidation=true should make UAA trust it here too, just like it does
// on the admin validate path -- today it does not, because the live login-path
// fetch (RelyingPartyRegistrations.fromMetadataLocation) ignores skipSslValidation.
Comment on lines +401 to +403
} finally {
httpsServer.stop(0);
}

@strehle strehle left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this skipssl for SAML metadata was alway a problem to me. In our landsapes we dont allow the automatic update but provision SAML metadata with API ... in the rare use cases.
We may allow the custom trust achor - as discussed - so do you really want it back ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

3 participants