Please forgive my ignorance - I am fairly new to SAML - I have read that entity IDs are to be globally unique. In the Spring SAML documentation, it is suggested that should be added to spring configuration in order to enable automatic metadata generation. This generator seems to run with the very first request to hit spring security, before an application has had a chance to initiate any kind of session that would provide information to uniquely identify a user. With this being the case, how can a globally unique entity ID be generated? It seems as if two users interacting with my application would be given the same entity when they go to view my application's metadata.
It stands to reason that one of my assumptions here is wrong, but I'm not sure which. How can globally unique entity ids be generated?
The entity ID doesn't uniquely identify users, but your application. Therefore you don't need to identify any user in order to define it. Typically, entity ID corresponds to deployment URL of your application.
Entity IDs also don't have to be unique globally, but they must be unique among all service providers and identity providers in a single federation (aka circle of trust).