SAML Authentication Issue: Message context was not authenticated when Azure AD as IDP

Issue

  • After enabling the SAML, when the user is trying to log in, authentication failed with the following message.
    ERROR [http-nio-8080-exec-36][BaseSamlStrutsAction:59] org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated
    Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated
    at org.opensaml.messaging.handler.impl.CheckMandatoryAuthentication.doInvoke(CheckMandatoryAuthentication.java:70)
    at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95)
    at org.opensaml.messaging.handler.impl.BasicMessageHandlerChain.doInvoke(BasicMessageHandlerChain.java:87)
    at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95)
    at com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:202)
    at com.liferay.saml.opensaml.integration.internal.servlet.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:618)
    at com.liferay.saml.opensaml.integration.internal.servlet.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:198)

Environment

  • Liferay DXP 7.2 as Service Provider
  • Azure AD as IDP

Resolution

  • Liferay allows authentication only when the response from IDP is signed because the unsigned response from IDP could lead to security issues.
    • For example, any MiM (Middle Men) could easily tamper the response from the IdP and send it to the SP (Liferay).
  • I.e. if the response is not signed, the SP will not be able to recognize whether the response is coming from the respective configured IdP or from somewhere else, so the IdP must be configured to signed the responses (even if individual assertions are).
  • However, in Azure AD, the signing options and signing algorithm help to choose the signed response, by this way the response from IDP is signed.
  • https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options#change-certificate-signing-options-and-signing-algorithm(Step 5)
    saml-signing-page.png
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0