auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

SAML Service Provider (SP) metadata endpoint (`/auth/v1/sso/saml/metadata`) generates incorrect XML

Open TomFranse opened this issue 1 week ago • 2 comments

Bug report

I confirm this is a bug with Supabase, not with my own application. I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The SAML Service Provider (SP) metadata endpoint (/auth/v1/sso/saml/metadata) generates incorrect XML that uses the Identity Provider's EntityID as the base for all SP service URLs, instead of using the Supabase project's own URLs. This prevents Identity Providers from correctly registering the Supabase project as a Service Provider.

Project Reference: cfcwwyrjkhjdlljtwcwv
SAML Provider ID: 9ce30628-ff73-402a-9066-76c7958df945

To Reproduce

Steps to reproduce the behavior:

  1. Add a SAML provider using the Supabase CLI:

    npx supabase sso add --type saml \
  --project-ref cfcwwyrjkhjdlljtwcwv \
  --domains kennisnet.org \
  --metadata-url https://engine.entree-s.kennisnet.nl/authentication/idp/metadata \
  --attribute-mapping-file <your-mapping-file.json>

  2. Verify the provider configuration shows correct Supabase URLs:

    npx supabase sso info --project-ref cfcwwyrjkhjdlljtwcwv

    Result: Shows correct Supabase URLs:

    Single sign-on URL (ACS URL) | https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/acs
Audience URI (SP Entity ID)  | https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/metadata

  3. Fetch the generated SP metadata XML:

    curl https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/metadata

  4. Inspect the EntityID and Location attributes in the XML

  5. See error: All service URLs contain the IdP's EntityID instead of the Supabase project URL

Expected behavior

The SP metadata XML should contain Supabase project URLs:

<EntityDescriptor entityID="https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/metadata">
  <SPSSODescriptor>
    <SingleLogoutService Location="https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/slo" />
    <AssertionConsumerService Location="https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/acs" />
  </SPSSODescriptor>
</EntityDescriptor>

This matches what supabase sso info reports as the correct configuration.

What happens instead:

The generated metadata incorrectly uses the IdP's EntityID as the base:

<EntityDescriptor entityID="https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/metadata">
  <SPSSODescriptor>
    <SingleLogoutService Location="https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/slo" />
    <AssertionConsumerService Location="https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/acs" />
  </SPSSODescriptor>
</EntityDescriptor>

Where https://engine.entree.kennisnet.nl/authentication/idp/metadata is the Identity Provider's EntityID (not ours).

Screenshots

CLI shows correct configuration (supabase sso info):

PROPERTY                     | VALUE
-----------------------------|--------------------------------------------------------------------
Single sign-on URL (ACS URL) | https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/acs
Audience URI (SP Entity ID)  | https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/metadata
Default Relay State          | https://cfcwwyrjkhjdlljtwcwv.supabase.co

Generated metadata shows incorrect URLs (curl metadata endpoint):

entityID="https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/metadata"
Location="https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/acs"
Location="https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/slo"

System information

  • OS: Windows 10
  • Version of Supabase CLI: Latest (via npx)
  • Node.js: v20.x
  • Project: cfcwwyrjkhjdlljtwcwv
  • SAML Provider ID: 9ce30628-ff73-402a-9066-76c7958df945

Additional context

Impact: This bug completely blocks SAML SSO integration because:

  • The Identity Provider (Entreefederatie) correctly rejects metadata claiming our service is hosted at their domain
  • Manual workarounds (editing XML) don't scale and break on metadata refresh
  • supabase sso info shows the configuration is correct, confirming this is a metadata generation bug

Root cause hypothesis: The metadata generation logic appears to append SP service paths (/sso/saml/acs, /sso/saml/metadata, etc.) to the IdP's EntityID instead of to the Supabase project's base URL.

Pattern observed:

  • IdP EntityID (correctly configured): https://engine.entree.kennisnet.nl/authentication/idp/metadata
  • Generated SP EntityID (incorrect): https://engine.entree.kennisnet.nl/authentication/idp/metadata/sso/saml/metadata
  • Expected SP EntityID: https://cfcwwyrjkhjdlljtwcwv.supabase.co/auth/v1/sso/saml/metadata

Identity Provider: Entreefederatie (Dutch education federation) - https://www.kennisnet.nl/diensten/entree-federatie/

Reproducibility: 100% - Occurs consistently after provider creation/recreation

Note: The issue persists even after:

  • Removing and re-adding the SAML provider
  • Using CLI instead of Dashboard for configuration
  • Verifying all configuration parameters are correct

TomFranse avatar Jan 05 '26 14:01 TomFranse