diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java
index c5933f880..2f6a82a82 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java
@@ -112,7 +112,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             .authorizeHttpRequests()
             .requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"),
                              new AntPathRequestMatcher("/entities*"),
-                             new AntPathRequestMatcher("/entities/**/*"),
+                             new AntPathRequestMatcher("/entities/*"),
+                             new AntPathRequestMatcher("/entities/**"),
                              new AntPathRequestMatcher("/actuator/**"),
                              new AntPathRequestMatcher("/api/beacon/send")).permitAll()
             .anyRequest().hasAnyRole(acceptedAuthenticationRoles)
@@ -158,7 +159,9 @@ public InMemoryUserDetailsManager userDetailsManager() {
     @Profile("!no-auth")
     public WebSecurityCustomizer webSecurityCustomizer() {
         return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"),
-                        new AntPathRequestMatcher("/entities/**/*"),
+                        new AntPathRequestMatcher("/entities*"),
+                        new AntPathRequestMatcher("/entities/*"),
+                        new AntPathRequestMatcher("/entities/**"),
                         new AntPathRequestMatcher("/favicon.ico"),
                         new AntPathRequestMatcher("/assets/**/*.png"),
                         new AntPathRequestMatcher("/static/**/*"),