From a0e2f9b411b74c865d25eab56f3e29d8d45cb11a Mon Sep 17 00:00:00 2001
From: Carl Schwan <carlschwan@kde.org>
Date: Thu, 30 Apr 2026 14:57:23 +0200
Subject: [PATCH 1/2] fix: Make sure getMetadata is accessible

Signed-off-by: Carl Schwan <carlschwan@kde.org>
---
 lib/Controller/SAMLController.php | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php
index 66cd58e4f..b4cc693b6 100644
--- a/lib/Controller/SAMLController.php
+++ b/lib/Controller/SAMLController.php
@@ -288,7 +288,6 @@ public function login(int $idp = 1): Http\RedirectResponse|Http\TemplateResponse
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
-	#[OnlyUnauthenticatedUsers]
 	public function getMetadata(int $idp = 1): Http\DataDownloadResponse {
 		$settings = new Settings($this->samlSettings->getOneLoginSettingsArray($idp));
 		$metadata = $settings->getSPMetadata();
@@ -305,8 +304,6 @@ public function getMetadata(int $idp = 1): Http\DataDownloadResponse {
 
 	/**
 	 * @NoSameSiteCookieRequired
-	 *
-	 * @return Http\RedirectResponse
 	 * @throws Error
 	 * @throws ValidationError
 	 */

From f63a71edeb292b89d700d1351ce8f1342d80a3db Mon Sep 17 00:00:00 2001
From: Carl Schwan <carlschwan@kde.org>
Date: Thu, 30 Apr 2026 15:21:10 +0200
Subject: [PATCH 2/2] fix: Stronger check that metadata response is valid

Signed-off-by: Carl Schwan <carlschwan@kde.org>
---
 src/components/ProviderSettingsDialog.vue | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/components/ProviderSettingsDialog.vue b/src/components/ProviderSettingsDialog.vue
index b4da3eb8e..72a268b4c 100644
--- a/src/components/ProviderSettingsDialog.vue
+++ b/src/components/ProviderSettingsDialog.vue
@@ -445,9 +445,11 @@ function onOpenChanged(open: boolean): void {
  */
 async function testMetaData(): Promise<void> {
 	try {
-		await axios.get(generateUrl(`/apps/user_saml/saml/metadata?idp=${props.provider.id}`))
-		metadataValid.value = true
-	} catch {
+		const { data, headers } = await axios.get(generateUrl(`/apps/user_saml/saml/metadata?idp=${props.provider.id}`))
+		const parser = new DOMParser()
+		const xml = parser.parseFromString(data, "application/xml")
+		metadataValid.value = headers["content-type"] === 'text/xml;charset=UTF-8' && xml.documentElement.localName === 'EntityDescriptor'
+	} catch (e) {
 		metadataValid.value = false
 	}
 }