Affects Version/s: 7.1.X, 7.2.X, Master
Component/s: Application Security > SAML
Steps to reproduce:
- Configure two Liferay 7.2 GA1 Liferay instances with the plugin Liferay Connector to SAML 2.0 (version 5.0.0) in order to have one as an Identity provider and the other one as a Service Provider
Checkpoint: you are able to connect from the SP with a user that only exist in the Idp, the user is imported successfully and the login is successfully done in both instances.
- Create an Encryption Certificate and Private Key in the Service provider`s general tab
- Update the SP entry registered in the Identity Provider instance (Service Provider Connections tab) in order enable the 'Force Encryption' option.
- Create a new user on the IDP instance
- Try to log in with the new user (which only exists within the IDP) on the SP instance
Expected result: you are able to connect from the SP with a user that only exist in the Idp, the user is imported successfully and the login is successfully done in both instances (SP,IDP).
Side note: if you try to log in from the SP with a user that was already imported in the past, the log in is successfully done in both instances, this is "only" not working with new users which are only existing on the IDP instance.
Actual result: The user is not imported successfully and the sign in is only done in the Identity Provider
ERROR is thrown in the log:
2019-08-05 11:47:37.703 ERROR [http-nio-8080-exec-1][BaseSamlStrutsAction:59] Screen name must not be null for user 35544
The issue is caused by the DefaultUserResolver not reading encrypted assertions.