I have a few minor queries relating to getMetadata in SAML2SPLogic: a) You can't get the metadata for a service via the REST API using the admin credentials due to the logic in SAML2SPLogic, e.g. @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
Should this be changed? It seems a bit odd to get a 403 when just downloading the metadata using the admin credentials. b) The urlContext not validated at all. For example, you can pass through something like "../../root" which is added to the metadata, e.g. Location=" http://localhost:9080/syncope/../../root/assertion-consumer". Should we implement some kind of validation rules on what is acceptable here? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com