Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-124054

NameID Format in Authn Response must match the IDP connection NameID Format or be unspecified

    Details

    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.0.X, 7.1.X, 7.2.X, 7.3.X, Master
    • Fix Version/s: None
    • Labels:
      None

      Description

      As a SAML SP we are currently allowing the IDP to specify the NameID Format in the Authn Response, and based on this we are comparing different User model fields to match an existing user. If the IDP alternates between different NameID Formats, this could cause different SP users to be matched, which would be unexpected behavior for the end-user who in each instance authenticated the same user account on the IDP.

      A solution to this might be to fail an SSO attempt that specifies a different NameID Format to what is configured by the SP admin for the IDP connection. With the exception of when the IDP does not specify the format.

      Note: This could be a breaking change for deployments where an IDP needs to use different NameID Formats for different users, but ensures that it does so consistently to meet the end-user expectation. For this reason we should give thought to if this is a genuine bug that should be fixed, or if it is a concern that has to be solved at deployment/integration time.

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            stian.sigvartsen Stian Sigvartsen
            Participants of an Issue:
            Recent user:
            Stian Sigvartsen
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Days since last comment:
              14 weeks ago

                Packages

                Version Package