Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-125272

As an Instance Administrator, I want a SAML assertion attribute to be mapped to screenName even if it differs from NameID


    • Branch Version/s:
    • Backported to Branch:
    • Sprint:
      AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56, AppSec Iteration 57, AppSec Iteration 58, AppSec Iteration 59, AppSec Iteration 60, AppSec Iteration 61, AppSec Iteration 62, AppSec Iteration 63, AppSec Iteration 64



      When the IdP sends the username into an attribute instead of using the NameID, even if the screenName is properly mapped to this attribute, Liferay looks for the user into the users list using the NameID.

      This happens, for example when transient or persistent NameID formats are used. They generates ID which format are not compatible with the screenName format, so they can't be used as screenName, and the mapping only works to create the user, but not to check if the user exists.

      Steps to reproduce:

      1. Use an IdP which allows transient format for Name ID
      2. Map screenName = <attribute_that_contains_username>
      3. Log in -> The user will be created and user's data looks fine
      4. Log out
      5. Log in again with the same user
      6. You'll get this error: 
        ERROR [http-nio2-8080-exec-36][WebSsoProfileImpl:809] Screen name <your_user_name> must not be duplicate but is already used by user <user_id>

      Feature request:

      The background reason why the transient mode is not working, may be that we don't provide the option to map the screen name with another attribute that differs from the Name ID (well, actually we provide it but it doesn't work). So If we provide a configuration checkbox to do this, or if we detect automatically that the screen name is mapped, then we should check if the user exists using this value instead of the Name ID. This automatically will solve the transient and other NameId modes supported in SAML2.

      Acceptance Criteria

      1. As an Instance Administrator, I want a SAML assertion attribute to be mapped to screenName even if it differs from NameID to prevent having screen name mapping related duplication error.


          Issue Links



              zsigmond.rab Zsigmond Rab
              martin.dominguez Martín Domínguez (Inactive)
              Engineering Assignee:
              Stian Sigvartsen
              Recent user:
              Zsigmond Rab
              Participants of an Issue:
              0 Vote for this issue
              5 Start watching this issue




                  Version Package
                  7.3.7 CE GA8
                  7.4.1 CE GA2 DXP 7,4
                  7.4.13 DXP GA1