Issue
- After upgrading Liferay from Liferay DXP 7.0 to Liferay DXP 7.2, SAML is no longer working and users are no longer able to authenticate using SAML. It is possible that the following error will also appear in the logs in the Identity Provider as well as the Service Provider, respectively.
- In the Identity Provider:
2020-09-15 21:54:31.402 ERROR [http-nio-8080-exec-3][BaseSamlStrutsAction:59] com.liferay.saml.runtime.SamlException: com.liferay.saml.runtime.exception.CredentialException: Credential is required 2020-09-15 21:54:40.318 ERROR [liferay/scheduler_dispatch-5][BasicParserPool:50] XML Parsing Error org.xml.sax.SAXParseException; lineNumber: 37; columnNumber: 12; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true. at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) ... 2020-09-15 21:54:40.320 WARN [liferay/scheduler_dispatch-5][SamlMetadataMessageListener:192] Unable to refresh SP metadata for samlsp: Unable to parse SAML metadata from http://samlsp:9080/c/portal/saml/metadata
- In the Service Provider:
2020-09-15 21:54:32.833 ERROR [liferay/scheduler_dispatch-4][BasicParserPool:50] XML Parsing Error org.xml.sax.SAXParseException; lineNumber: 37; columnNumber: 12; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true. at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) ... 2020-09-15 21:54:32.836 WARN [liferay/scheduler_dispatch-4][SamlMetadataMessageListener:161] Unable to refresh IdP metadata for samlidp: Unable to parse metadata from http://samlidp:8080/c/portal/saml/metadata: Unable to parse inputstream, it contained invalid XML 15-Sep-2020 21:54:34.012 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [40,485] milliseconds 2020-09-15 21:54:34.365 ERROR [http-nio-9080-exec-1][BaseSamlStrutsAction:59] com.liferay.saml.runtime.SamlException: net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Credential cannot be null
Environment
- Liferay DXP 7.0+
Resolution
- When upgrading Liferay from one version to another, it is expected that the user will need to either move the SAML certificate that was generated in the old version to the new version, or refresh the SAML certificate in the new version. Otherwise, SAML will not work after going through the upgrade process. This is because when referencing those kinds of files, Liferay uses a path to the file that is relative to the Liferay installation, so it is looking for the file in the new bundle, not the old one.
- After either moving the SAML certificate from the old version of Liferay to the new one, or refreshing the SAML certificate in the new version, SAML should begin working again and the user will be able to authenticate.
- If you want to know where you keystore is located, check
LIFERAY_HOME/data/keystore.jksfor FileSystem Keystore Manager or your Document Library directory for Document Library Keystore Manager (see Configure SAML).
Additional Information
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In