Unexpected stack trace form Spring-Security-SAML when generating SP metadata?

Question

I am attempting to integrate spring-security-saml with an existing application to allow that application to act as a service provider.

Unfortunately, I can't seem to get the metadata filter to work. The webapp boots up without any fuss, but when I hit $contextPath/saml/metadata, I receive the following stack trace in my logs.

2014-10-24 13:52:38,779 54025 [1045652139@qtp-718389251-8] WARN  org.mortbay.log - /sf/saml/metadata/
org.opensaml.saml2.metadata.provider.MetadataProviderException: No hosted service provider is configured and no alias was selected
        at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalEntity(SAMLContextProviderImpl.java:311) ~[spring-security-saml2-core
-1.0.0.RELEASE.jar:1.0.0.RELEASE]
        at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalContext(SAMLContextProviderImpl.java:216) ~[spring-security-saml2-cor
e-1.0.0.RELEASE.jar:1.0.0.RELEASE]
        at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalEntity(SAMLContextProviderImpl.java:107) ~[spring-security-saml2-core-1.0.
0.RELEASE.jar:1.0.0.RELEASE]
        at org.springframework.security.saml.metadata.MetadataDisplayFilter.processMetadataDisplay(MetadataDisplayFilter.java:114) ~[spring-security-saml2-core-1.0.0.RELEASE.jar:1.0.0.RELEASE]
        at org.springframework.security.saml.metadata.MetadataDisplayFilter.doFilter(MetadataDisplayFilter.java:88) ~[spring-security-saml2-core-1.0.0.RELEASE.jar:1.0.0.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) ~[spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) ~[spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]

My metadata configuration is included below:

  <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
  </bean>

  <bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <!--<property name="entityBaseURL" value="${env.shibboleth.entityBaseUrl"/>-->
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="${env.shibboleth.entityId}"/>
    <prop
  </bean>

We are currently using:

• spring version: 4.0.4.RELEASE
• spring security version: 3.2.3.RELEASE
• spring-security-saml2 version: 1.0.0.RELEASE

At this point, I'm largely at a loss, as we're not trying to do a multi-tennancy setup, which is the only place which alias is mentioned at length, and from what I can see, the metadataGenerator defines a service provider?

Answer 1

The metadataGeneratorFilter needs to be executed before invocation of the MetadataDisplayFilter, make sure to include the following declaration in your <security:http> element:

<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>

Also, your value for entityId seems to suggest that you are using same entityId for both your IDP (Shibboleth) and SP (Spring SAML application). Make sure that the value is unique for both of the entities.