User Cannot Log In to Sync Client When SAML SSO and OAuth Are Enabled

This article documents a known issue where users cannot log in to the Sync Client if both SAML and OAuth are enabled. As a result, authentication fails with a blank screen on Sync client. Repeated warning messages will print out in the server console:

Relay state exceeds 80 bytes, some application may not support this.

The specific conditions are:

  1. Start up two Liferay DXP platforms
  2. Deploy the Liferay SAML 2.0, the OAuth Provider and the Sync Client apps to both Liferay Digital Enterprise 7.0 platforms
  3. Follow the SAML Configuration Steps to configure the first Liferay DXP 7.0 platform as an Identity Provider (IdP) and the second platform as the Service Provider (SP)
  4. Verify that SSO/SLO using SAML protocols work
  5. On the SP instance, navigate to Control Panel → Configuration → Sync Connector Admin
  6. Enable OAuth
  7. Connect Liferay Sync to the SP

Resolution

Status: Workaround Available 

Currently we have a workaround to resolve this issue. Please add the following filter in {Liferay_Home}/tomcat/webapps/ROOT/WEB-INF/liferay-web.xml.

<filter-mapping>
        <filter-name>Auto Login Filter</filter-name>
        <url-pattern>/c/portal/oauth/authorize/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

You will observe the user can sign in to the Sync client successfully and only one warning message shows up in the server console.

Additional Information

LPS-76246 is raised to provide a permanent fix.

If using the latest version of the Liferay SAML 2.0 app, Fix Pack DE-32 or higher is required. See  this article: Important Changes and Support Information for Liferay Connector to SAML 2.0 Version 3.1.0 and Later.

Was this article helpful?
0 out of 0 found this helpful