Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-108070

Handle new SameSite=Lax default in cookies in SAML

    Details

      Description

      https://help.liferay.com/hc/articles/360039330892

      Fixed in

      Liferay Connector to SAML 2.0 for

      • DXP 7.0: 3.1.2+
      • DXP 7.1: 4.1.1+
      • DXP 7.2: 5.0.1+
      • DXP 7.3: 6.0.0+

      Affected Products

      Liferay Connector to SAML 2.0, versions

      • 5.0.0 for DXP 7.2
      • 4.1.0 and below for DXP 7.1
      • 3.1.1 and below for DXP 7.0
      • 2.1.3 and below for Liferay Portal 6.2 EE
      • 1.0.4 and below for Liferay Portal 6.1 EE GA2 and GA3

      Reproduction steps

      Issue 1 - SAML SP initiated SSO requests behave like "Force Authn"

      1. Configure 2 Liferay SAML SP instances connected to 1 Liferay SAML IdP. For the SP connections to the IdP, ensure "Force authn" is not selected.
      2. Complete a SP initiated SSO as usual with SP1
      3. Initiate a SP initiated SSO us usual with SP2

       Expected result: You are not prompted to log into the IdP because there exists an authenticated portal session on the IdP
       Actual result: You are prompted to login

      Issue 2 - 2nd+ SAML SP initiated SSO request fails

      1. Configure 1 Liferay SAML SP instances connected to 1 Liferay SAML IdP
      2. Complete a SP initiated SSO as usual
      3. Delete all cookies associated with the SP (so you are guest again)
      4. Attempt another SP initiated SSO
      5. You will be prompted to log into the IdP for the same reason as issue 1. Log in with valid credentials.

       Expected result: You are authenticated and returned to the SP
       Actual result: The IdP displays error "Unable to process SAML request". Also there is an error in the log: {{{ ERROR [http-nio-8080-exec-3][BaseSamlStrutsAction:59] Duplicate SAML IDP SSO session for XXXX }}}

      Issue 3 - SAML Single Logout fails

      1. Configure 1 Liferay SAML SP instances connected to 1 Liferay SAML IdP
      2. Complete a SP initiated SSO as usual
      3. Initiate a SLO from the SP

       Expected result: You are redirected to the IdP which renders a page where the logout progress of each SP is shown
       Actual result: You are presented with a maximized login portlet on the IdP stating "You are signed in"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              della.wang Della Wang
              Reporter:
              stian.sigvartsen Stian Sigvartsen
              Participants of an Issue:
              Recent user:
              Stian Sigvartsen
              Engineering Assignee:
              Tibor Lipusz
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                40 weeks, 4 days ago

                  Packages

                  Version Package
                  7.0.X
                  7.1.X
                  7.2.X
                  7.3.1 CE GA2
                  7.3.2 CE GA3
                  7.3.10 DXP GA1