1. Liferay Help Center
  2. 知识库
  3. Solution

Liferay accepts only fully signed SAML responses. Can this requirement be turned off?

Avatar

Peter Nyiro

  • 更新

Issue

  • From a security standpoint, it's a best practice to sign the Response. However, we can switch off this requirement in our other apps.
  • I can understand that Liferay by default requires the complete signature of the response, but could this be turned off somehow?

Environment

  • DXP 7.3+

Resolution

  • The SAML standard states signature verification to be a MUST for SAML bindings that involve the browser. Liferay uses the HTTP Post binding for SSO, which falls into this category.
  • So it comes down to trusting all the users on the private network and the security of their workstation, to prevent malicious capture and reply of SAML messages.
  • If this risk is acceptable, the SAML code can be changed.
    We can't recommend or support this method due to security reasons.

    In WebSsoProfileImpl, change in method "doProcessResponse" 
    from
     
    MessageContext messageContext = decodeSamlMessage( 
    httpServletRequest, httpServletResponse, 
    getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), true);
    to
     
    MessageContext messageContext = decodeSamlMessage( 
    httpServletRequest, httpServletResponse, 
    getSamlBinding(SAMLConstants.SAML2_POST_BINDING_URI), false);
这篇文章有帮助吗?
0 人中有 0 人觉得有帮助