Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-122195

ADFS with NameID format unspecified as Idp cannot login existing users

    Details

      Description

      Affects Liferay Connector to SAML 2.0:

      Affected App Version/s Fixed in App Version
      6.0.0 for DXP 7.3 TBR
      5.0.0 through 5.0.1 for DXP 7.2 TBR
      4.0.1 through 4.1.1 for DXP 7.1 TBR
      3.1.2 for DXP 7.0 TBR

      Liferay DXP subscribers can request the fix to be provided as a Hotfix LPKG through Liferay Support once it will be fixed and backported.


      A client reports that after upgrading to 3.1.2 version of SAML plugin, they cannot perform logins for users. They have ADFS as IdP with format name = unspecified as a requirement from ADFS.

      Steps to reproduce:

      1. Configure an ADFS with format name = unspecified.
      2. Configure SAML as SP into Liferay with "Import from LDAP" checked (you must also configure the LDAP connection to ADFS appropriately).
      3. Login an existing user into Liferay.

       Important: Ensure that you change Instance Settings > User Authentication > General > How do users authenticate? to "Screen Name" so that the LDAP user import process matches existing portal users on the same field as the SAML connector itself. Otherwise if ADFS has a user with the same NameID value but different email address, you will get the exception below also.

       Expected result: User performs login correctly

       Current result: UserScreenNameException$MustNotBeDuplicate is thrown

      2020-10-13 09:55:29.800 ERROR [ajp-nio-8009-exec-38][BaseSamlStrutsAction:54] com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeDuplicate: Screen name test_user must not be duplicate but is already used by user 24818724
      com.liferay.portal.kernel.exception.UserScreenNameException$MustNotBeDuplicate: Screen name test_user must not be duplicate but is already used by user 24818724
              at com.liferay.portal.service.impl.UserLocalServiceImpl.validateScreenName(UserLocalServiceImpl.java:7062)
              at com.liferay.portal.service.impl.UserLocalServiceImpl.validate(UserLocalServiceImpl.java:6761)
              at com.liferay.portal.service.impl.UserLocalServiceImpl.addUserWithWorkflow(UserLocalServiceImpl.java:961)
              at com.liferay.portal.service.impl.UserLocalServiceImpl.addUser(UserLocalServiceImpl.java:775)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:163)
              at com.liferay.portal.spring.transaction.DefaultTransactionExecutor.execute(DefaultTransactionExecutor.java:54)
              at com.liferay.portal.spring.transaction.TransactionInterceptor.invoke(TransactionInterceptor.java:58)
              at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:137)
              at com.liferay.portal.service.ServiceContextAdvice.invoke(ServiceContextAdvice.java:51)
              at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:137)
              at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:55)
              at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:137)
              at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:169)
              at com.sun.proxy.$Proxy118.addUser(Unknown Source)
              at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.addUser(DefaultUserResolver.java:173)
              at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.importUser(DefaultUserResolver.java:370)
              at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.resolveUser(DefaultUserResolver.java:99)
              at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:626)
              at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:169)
              at com.liferay.saml.web.internal.portlet.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:59)
              at com.liferay.saml.web.internal.portlet.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:51)
              at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
              at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50)
              at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
              at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
              at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:170)
              at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
              at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
              at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:607)
              at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:584)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:119)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.frontend.compatibility.ie.servlet.filter.IEMimeTypeCompatibilityFilter.processFilter(IEMimeTypeCompatibilityFilter.java:48)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.portal.servlet.filters.uploadservletrequest.UploadServletRequestFilter.processFilter(UploadServletRequestFilter.java:93)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.servlet.filters.password.modified.PasswordModifiedFilter.processFilter(PasswordModifiedFilter.java:57)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.portal.servlet.filters.secure.BaseAuthFilter.processFilter(BaseAuthFilter.java:340)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:264)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
              at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:181)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
              at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
              at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
              at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
              at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
              at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
              at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
              at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:101)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
              at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
              at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:748)

      It seems a regression caused by LPS-84540 that introduces a new format, but doesn't map this format to getUser method, so getUser always return null and user is treated always as new for this case.

       

      The official documentation (https://help.liferay.com/hc/en-us/articles/360029031551-Changing-the-Settings-for-Service-Provider-and-Identity-Provider-Connections)  stated For Liferay Service Providers, selections other than email address indicate that the Name Identifier refers to screen name. So we think maybe changing the new logic back to

      if (NameIDType.EMAIL.equals(format))
      { return _SUBJECT_NAME_TYPE_EMAIL_ADDRESS; }
      return _SUBJECT_NAME_TYPE_SCREENNAME;
       }
      

      Could be a solution for this case.

      Regards.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              della.wang Della Wang (Inactive)
              Reporter:
              jorge.garcia Jorge García Jiménez
              Participants of an Issue:
              Recent user:
              Jason Pince
              Engineering Assignee:
              Stian Sigvartsen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                25 weeks, 4 days ago

                  Packages

                  Version Package
                  7.0.X
                  7.1.X
                  7.2.X
                  7.3.X
                  7.3.6 CE GA7
                  Master