Regression in SP EntityID format on upgrade to 2.4 #2448
Description
While upgrading from 2.2.7 to 2.4.1 I encountered the following error:
SimpleSAML\SAML2\Exception\ProtocolViolationException: "DOWJONES" is not a SAML2-compliant URI
I was able to trace this down to the upgrade in the saml2 library from 4.x to 5.x.
I did perform an upgrade to 2.3.7, and that worked fine with my existing SPs (saml2 is on 4.x there), so this is definitely a BC break from 2.3 to 2.4. This also wasn't mentioned in the Upgrade notes for version 2.4, so that should at least be updated.
Note: This is different from #1891 where it was dealing with the IdP EntityID, and was much easier to perform the upgrade from 1.x to 2.x.
If this is something we can revert easily for SP EntityID's without interfering with other security validations, that'd be great.
I have multiple external SPs that I don't control, and that aren't URI/URN format. These are largish companies with a track record of ignoring, or taking their time (months to years) to make code changes. While I realize these SP's are likely out of spec, they've been around for a long time in this condition.
Otherwise I'll plan on figuring out how to patch a workaround for this in the short term while I'm performing the upgrade.