SAML metadata doesn't provide the assertion endpoint
Recently set up an ADFS login over SAML, only to run into issues due to the metadata missing the callback location.
It's even specifiable through the configuration file, so it should really exist in the generated metadata.
Example metadata:
<md:EntityDescriptor ID="_fe876d8e-1ae9-48eb-a5d8-9727d71cced0" entityID="https://gitlab.fqdn">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
<md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
The missing value would be something like: (Taken from Jenkins and the metadata block they generate)
...
</md:AttributeConsumingService>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gitlab.fqdn/users/auth/saml/callback" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Edited by 🤖 GitLab Bot 🤖