Issue
-
After enabling the SAML, when the user is trying to log in, authentication failed with the following message.
ERROR [http-nio-8080-exec-36][BaseSamlStrutsAction:59] org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated
at org.opensaml.messaging.handler.impl.CheckMandatoryAuthentication.doInvoke(CheckMandatoryAuthentication.java:70)
at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95)
at org.opensaml.messaging.handler.impl.BasicMessageHandlerChain.doInvoke(BasicMessageHandlerChain.java:87)
at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95)
at com.liferay.saml.opensaml.integration.internal.servlet.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:202)
at com.liferay.saml.opensaml.integration.internal.servlet.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:618)
at com.liferay.saml.opensaml.integration.internal.servlet.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:198)
Environment
- Liferay DXP 7.2 as Service Provider
- Azure AD as IDP
Resolution
-
Liferay allows authentication only when the response from IDP is signed because the unsigned response from IDP could lead to security issues.
-
For example, any MiM (Middle Men) could easily tamper the response from the IdP and send it to the SP (Liferay).
-
For example, any MiM (Middle Men) could easily tamper the response from the IdP and send it to the SP (Liferay).
- I.e. if the response is not signed, the SP will not be able to recognize whether the response is coming from the respective configured IdP or from somewhere else, so the IdP must be configured to signed the responses (even if individual assertions are).
- However, in Azure AD, the signing options and signing algorithm help to choose the signed response, by this way the response from IDP is signed.
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options#change-certificate-signing-options-and-signing-algorithm(Step 5)
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión