fix: ensure correct SAML Entity ID in client SSO flow

When initiating a SAML client flow via the /sso endpoint, the service provider object Entity ID is omitted from the initialization options, causing the underlying saml library to incorrectly use the metadata URL for the SAML server as the Entity ID.

This causes some service providers (e.g. Microsoft Entra ID) to reject the SAML authentication request, as the inferred supabase auth server metadata URL does not match the provider's Entity ID.

This change ensures the service provider is correctly initialized with the provider Entity ID during the client auth flow, while retaining the existing behavior for the server metadata endpoint.

Author: Tim Kendrick

internal/api/saml.go

@@ -13,7 +13,7 @@ import (
 
 // getSAMLServiceProvider generates a new service provider object with the
 // (optionally) provided descriptor (metadata) for the identity provider.
-func (a *API) getSAMLServiceProvider(identityProvider *saml.EntityDescriptor, idpInitiated bool) *saml.ServiceProvider {
+func (a *API) getSAMLServiceProvider(identityProvider *saml.EntityDescriptor, entityID string, idpInitiated bool) *saml.ServiceProvider {
 	var externalURL *url.URL
 
 	if a.config.SAML.ExternalURL != "" {
@@ -47,6 +47,7 @@ func (a *API) getSAMLServiceProvider(identityProvider *saml.EntityDescriptor, id
 		SignRequest:       true,
 		AllowIDPInitiated: idpInitiated,
 		IDPMetadata:       identityProvider,
+		EntityID:          entityID,
 	})
 
 	provider.AuthnNameIDFormat = saml.PersistentNameIDFormat
@@ -56,7 +57,7 @@ func (a *API) getSAMLServiceProvider(identityProvider *saml.EntityDescriptor, id
 
 // SAMLMetadata serves GoTrue's SAML Service Provider metadata file.
 func (a *API) SAMLMetadata(w http.ResponseWriter, r *http.Request) error {
-	serviceProvider := a.getSAMLServiceProvider(nil, true)
+	serviceProvider := a.getSAMLServiceProvider(nil, "", true)
 
 	metadata := serviceProvider.Metadata()
 

internal/api/samlacs.go

@@ -199,7 +199,7 @@ func (a *API) handleSamlAcs(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	serviceProvider := a.getSAMLServiceProvider(idpMetadata, initiatedBy == "idp")
+	serviceProvider := a.getSAMLServiceProvider(idpMetadata, ssoProvider.SAMLProvider.EntityID, initiatedBy == "idp")
 	spAssertion, err := serviceProvider.ParseResponse(r, requestIds)
 	if err != nil {
 		if ire, ok := err.(*saml.InvalidResponseError); ok {

internal/api/sso.go

@@ -98,7 +98,7 @@ func (a *API) SingleSignOn(w http.ResponseWriter, r *http.Request) error {
 		return apierrors.NewInternalServerError("Error parsing SAML Metadata for SAML provider").WithInternalError(err)
 	}
 
-	serviceProvider := a.getSAMLServiceProvider(entityDescriptor, false /* <- idpInitiated */)
+	serviceProvider := a.getSAMLServiceProvider(entityDescriptor, ssoProvider.SAMLProvider.EntityID, false /* <- idpInitiated */)
 
 	authnRequest, err := serviceProvider.MakeAuthenticationRequest(
 		serviceProvider.GetSSOBindingLocation(saml.HTTPRedirectBinding),