When using a provider like Okta and trying a connection initiated by the the IDP there is a Forbidden HTTP error and this error in server logs:

ERROR: `InResponseTo` does not match any of the possible request IDs (expected [])

I will do a pull request to support IDP initiated flow.

Google in their infinite wisdom has decided they will not provide public metadata URLs for their customers, and so I find myself wanting to configure this project with a static metadata.xml file that I've downloaded.

Would you accept a pull request to add this feature? I'm thinking of a configuration option named idp_metadata_path which would be the path to a metadata file. It would be a mutually exclusive option with idp_metadata_url. If the file is specified and exists and a URL is not specified, then we would read the file and use it instead of the URL. It would be pretty simple as crewjam/saml/samlsp already understands how to handle both URLs and files on disk.

Either way, thanks for putting this project together!

Hello,

My scenario is the following:

• I have a K8s cluster with a nginx ingress controller, which exposes some services (throught ingress definition) and I want to secure them using saml-proxy.
• the saml-proxy is desployed inside the cluster and exposed to public (accessible) through ingress definitions too (through https://my_domain/saml). Hitting this endpoint will take it though ingress-> k8s service->saml-proxy pod
• the config.yaml looks similar like this

    hosts:
      - service_root_url: https://my_domain/saml
        allow_idp_initiated: true
        idp_metadata_url: https://samltest.id/saml/idp
        targets:
          - http://k8s_svc_that_needs_protection.namespace.svc.cluster.local/mypage

• my services that I need to protect are being protected and exposed with (snippet from below), basically saying that the authentication endpoint is the saml-proxy service:

kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/app-root: /mypage
    ingress.kubernetes.io/auth-url: http://saml-proxy-deployment.namespace.svc.cluster.local/auth

The problem I have is that the calls are ending-up in the proxy-saml pod with the host saml-proxy-deployment.namespace.svc.cluster.local and they are not being picked as comming from my_domain and thus are not serviced (are returned with 404-not found)

Can you please help/support and have any examples with the deployment in a k8s service with nginx?