Describe the bug

When creating a new SAML Provider via “SAML Provider from Metadata”, authentik sometimes selects an endpoint binding that authentik does not support.
This happens when the metadata contains multiple endpoints and the first entry uses an unsupported binding; the current selection logic ends up applying that first entry anyway, resulting in an invalid configuration (see screenshot).

This behavior appears to be “by design” in the current implementation (it is even mentioned in comments), but it leads to a poor default and a broken provider setup out-of-the-box.

I am preparing a PR to change the selection logic so that authentik skips unsupported bindings and chooses a supported default (e.g., HTTP-POST / HTTP-Redirect) instead. This issue is to track that change and link the PR.

How to reproduce

1. Go to Admin console.
2. Click Applications / Provides
3. Click "Create" button
4. Choose SAML Provider from Metadata, then click Next
5. Input and select arbitrary Name and flows. And upload attached metadata.
6. Click finish.
7. Looks like successfully configured Provider, but appears URL of unsupported binding, such as SOAP.

multi-bindings.xml

Expected behavior

Expected behavior

• When importing metadata, authentik should prefer supported bindings and never auto-select an unsupported binding as the provider’s default.

Actual behavior

• The provider is configured with the first binding from metadata even if it is unsupported, causing misconfiguration.

Screenshots

Additional context

No response

Deployment Method

Docker

Version

2026.5.0-rc1

Relevant log output