Fix SAML2 endpoints registration when base_url includes a path

example/plugins/backends/saml2_backend.yaml.example

@@ -63,9 +63,11 @@ config:
         allow_unsolicited: true
         endpoints:
           assertion_consumer_service:
-          - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+          - [<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
           discovery_response:
-          - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+          - [<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
+	  metadata_exposal: <name>/proxy_saml2_backend.xml
+	  metadata_reload: <name>/reload-metadata
 
         # name_id_format: a list of strings to set the <NameIDFormat> element in SP metadata
         # name_id_policy_format: a string to set the Format attribute in the NameIDPolicy element

src/satosa/backends/saml2.py

@@ -209,7 +209,7 @@ def disco_query(self, context):
         :return: Response
         """
         endpoints = self.sp.config.getattr("endpoints", "sp")
-        return_url = endpoints["discovery_response"][0][0]
+        return_url = "{}/{}".format(self.base_url, endpoints["discovery_response"][0][0])
 
         disco_url = (
             context.get_decoration(SAMLBackend.KEY_SAML_DISCOVERY_SERVICE_URL)
@@ -303,10 +303,11 @@ def authn_request(self, context, entity_id):
 
         try:
             acs_endp, response_binding = self._get_acs(context)
+            acs_endp_url = "{}/{}".format(self.base_url, acs_endp)
             relay_state = util.rndstr()
             req_id, binding, http_info = self.sp.prepare_for_negotiated_authenticate(
                 entityid=entity_id,
-                assertion_consumer_service_url=acs_endp,
+                assertion_consumer_service_url=acs_endp_url,
                 response_binding=response_binding,
                 relay_state=relay_state,
                 **kwargs,
@@ -588,8 +589,7 @@ def register_endpoints(self):
         url_map = []
         sp_endpoints = self.sp.config.getattr("endpoints", "sp")
         for endp, binding in sp_endpoints["assertion_consumer_service"]:
-            parsed_endp = urlparse(endp)
-            url_map.append(("^%s$" % parsed_endp.path[1:], functools.partial(self.authn_response, binding=binding)))
+            url_map.append(("^%s$" % endp, functools.partial(self.authn_response, binding=binding)))
             if binding == BINDING_HTTP_REDIRECT:
                 msg = " ".join(
                     [
@@ -607,20 +607,18 @@ def register_endpoints(self):
 
         if self.discosrv:
             for endp, binding in sp_endpoints["discovery_response"]:
-                parsed_endp = urlparse(endp)
                 url_map.append(
-                    ("^%s$" % parsed_endp.path[1:], self.disco_response))
+                    ("^%s$" % endp, self.disco_response))
 
         if self.expose_entityid_endpoint():
-            logger.debug("Exposing backend entity endpoint = {}".format(self.sp.config.entityid))
-            parsed_entity_id = urlparse(self.sp.config.entityid)
-            url_map.append(("^{0}".format(parsed_entity_id.path[1:]),
-                            self._metadata_endpoint))
+            url_map.append(
+                ("^%s$" % sp_endpoints["metadata_exposal"], self._metadata_endpoint))
 
         if self.enable_metadata_reload():
             url_map.append(
-                ("^%s/%s$" % (self.name, "reload-metadata"), self._reload_metadata))
+                ("^%s$" % sp_endpoints["metadata_reload"], self._reload_metadata))
 
+        logger.debug(f"Loaded SAML2 endpoints: {url_map}")
         return url_map
 
     def _reload_metadata(self, context):