Issue
- From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps.
- I can understand that Liferay by default requires the complete signature of the response, but could this be turned off somehow?
Environment
- DXP 7.3+
Resolution
- The SAML standard states signature verification to be a MUST for SAML bindings that involve the browser. Liferay uses the HTTP Post binding for SSO, which falls into this category.
- So it comes down to trusting all the users on the private network and the security of their workstation, to prevent malicious capture and reply of SAML messages.
- If this risk is acceptable, the SAML code can be changed.
We can't recommend or support this method due to security reasons.
In WebSsoProfileImpl, change in method "doProcessResponse"
from
toMessageContext messageContext = decodeSamlMessage(
httpServletRequest, httpServletResponse,
getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), true);
MessageContext messageContext = decodeSamlMessage(
httpServletRequest, httpServletResponse,
getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), false);
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In