Issue
- From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps.
- I can understand that Liferay by default requires the complete signature of the response, but could this be turned off somehow?
Environment
- DXP 7.3+
Resolution
- The SAML standard states signature verification to be a MUST for SAML bindings that involve the browser. Liferay uses the HTTP Post binding for SSO, which falls into this category.
- So it comes down to trusting all the users on the private network and the security of their workstation, to prevent malicious capture and reply of SAML messages.
-
If this risk is acceptable, the SAML code can be changed.
We can't recommend or support this method due to security reasons.
In WebSsoProfileImpl, change in method "doProcessResponse"
from
toMessageContext messageContext = decodeSamlMessage(
httpServletRequest, httpServletResponse,
getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), true);
MessageContext messageContext = decodeSamlMessage(
httpServletRequest, httpServletResponse,
getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), false);
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión