url's in saml/metadata wrong?

[corneliusweiss]

in the metadata (saml/metadata) services are defined:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4902/saml/slo" ResponseLocation="http://localhost:4902/saml/slo"></SingleLogoutService>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4902/saml/acs" index="1"></AssertionConsumerService>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:4902/saml/acs" index="2"></AssertionConsumerService>

but these url's don't work

curl -v http://localhost:4902/saml/acs
*   Trying 127.0.0.1:4902...
* Connected to localhost (127.0.0.1) port 4902 (#0)
> GET /saml/acs HTTP/1.1
> Host: localhost:4902
> User-Agent: curl/7.86.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Tue, 04 Apr 2023 10:29:24 GMT
< Content-Length: 10
<
Forbidden

where as they are found in saml2 location

curl -v http://localhost:4902/saml2/acs
*   Trying 127.0.0.1:4902...
* Connected to localhost (127.0.0.1) port 4902 (#0)
> GET /saml2/acs HTTP/1.1
> Host: localhost:4902
> User-Agent: curl/7.86.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Location: http://web:4000/sso/saml2/redirect/signon?SAMLRequest=nJLBbtswDIZfxdDdkaw4TS3UBrIGwwJ0W9BkO%2BwmK3QjQKY8kV7Xtx%2FsdkN2yaFXif9HfSLvyPZhMJuRz%2FgIP0cgzn73AclMF7UYE5poyZNB2wMZduaw%2Bfxg9EIZSwSJfURxERmuZ4YUOboYRLbb1sKf8sotnbPqZtUWXbeuOmh1u4K1rpbKlbflrV3eFFCsSpF9h0Q%2BYi30QolsRzTCDoktci200stclbkqj4UyujJaLdaq%2BCGyLRB7tDwnz8yDkfIZWlMqpSRRlNOjtUxw8gkcS%2FJPOBlt%2FsrdR6Sxh3SA9Ms7%2BPb48I8TorPhHIlNWSk9k6R1JLL9m%2BUHjyePT9e%2FpH0tIvPpeNzn%2B6%2BHo2jmsZjZMWUfY%2BotX4dMJ%2F6Ud3OpAWTPL6KZKDkDcU7DnbxgNm9z%2F2J72G33MXj38o4%2BnCySB2SRbUKIz%2FcJLEMtOI0gZPPa8v%2Ftav4EAAD%2F%2Fw%3D%3D&RelayState=plJo6V43fk3fZ1MNWGXiIWgCiEaYsx08zhe5EwwqhTZbo94k32058f2U
< Set-Cookie: saml_plJo6V43fk3fZ1MNWGXiIWgCiEaYsx08zhe5EwwqhTZbo94k32058f2U=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjQ5MDIiLCJleHAiOjE2ODA2MDQyNTAsImlhdCI6MTY4MDYwNDE2MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0OTAyIiwibmJmIjoxNjgwNjA0MTYwLCJzdWIiOiJwbEpvNlY0M2ZrM2ZaMU1OV0dYaUlXZ0NpRWFZc3gwOHpoZTVFd3dxaFRaYm85NGszMjA1OGYyVSIsImlkIjoiaWQtOWMzY2NhMDY1YjFmZjc5ZmViMmI1ZTcyOTMwYzQ4NDhhMzYxZTE1NCIsInVyaSI6Ii9zYW1sMi9hY3MiLCJzYW1sLWF1dGhuLXJlcXVlc3QiOnRydWV9.Y-cU1-VfUnU2fFo0qi5LPIxB86lXQRSY30wKJfynmDRdUjZvITZzXEVcMmP9uSCKcfqsPf9XMWLPzj0pt6ZAloWhcwl-qnzSl3hWhg2dryxVEOyjyxVrpx7Un7eThJKepjo805KJRgaTZJj5EqerRfQEhtHOr6ezoWmKxXwQoqcA0aI21b-kUnCliBJrQPfoJWIp9LhuZLavDcJbobjBobq6QFycFTbhzlCS1Tphjy99eD_kvSbWuKsOq7v-kcgkHDGrCrafS2CKjPjH2Fmb8eH3I_K1RC6cbcXjPs0BcoFvOECRpc7oPtTso9U-y2LzvGSvRl9oqtYmo1_2--M5Lw; Path=/saml/acs; Max-Age=90; HttpOnly
< Date: Tue, 04 Apr 2023 10:29:20 GMT
< Content-Length: 0

[BeryJu]

The URL in the metadata should correct, but since it's the url for the ACS it requires a SAML payload, and when calling it with the curl command above that is not the case.

The reason the other URL works is because all other URLs "require login", hence any other URL will redirect to the SAML Login process