Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-133178

SAML login with using UUID SAML attribute is not matching user with changed email address at Service Provider



      Test setup

      1. Have a Portal with the default and one new virtual instance (localhost:8080 and www.able.com:8080)
      2. Login to localhost:8080 as Instance admin and enable Identity Provider SAML role.


      1. Login to the new virtual instance as Instance Administrator (www.able.com:8080)
      2. Go to System Settings / Security / SAML
      3. Select "Service Provider" as SAML role
      4. Enter a name for the Service Provider role
      5. Save the form
      6. Go to Identity Provider Connections tab
      7. Click Add
      8. Fill out the mandatory fields
      9. Scroll down to User Resolution and Attribute Mapping area
      10. Add one extra User Attribute Mapping row and select "UUID" as User Field Expression
      11. Enter "uuid" also, into the SAML Attribute field
      12. Click the "Match Using a Specific SAML Attribute Mapping" radio button next to the User Attribute Mapping field's row
      13. Save the form
      14. Go to IDP create a new user as [email protected], and do a first-time login to IDP
      15. Go to Service Provider and do a first-time login with the new user to have a profile at SP
      16. Go back to IDP, and change the email address to [email protected]
      17. Save and verify the new email address at IDP
      18. Login to IDP with the new email address
      19. Log out from IDP
      20. Go to SP and try login with the new email address [email protected]

      The user cannot log in to Service Provider after his email is changed at the Identity Provider site.

      The user should be able to log in with a changed email address into the same profile at the Service Provider.

      Debug logs

      IDP Connection at Service Provider:


      2021-05-28 14:06:11.055 DEBUG [http-nio-8080-exec-2][WebSsoProfileImpl:809] SAML authenticated user [email protected]
      2021-05-28 14:06:11.056 DEBUG [http-nio-8080-exec-2][DefaultUserResolver:81] Resolving user with name ID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and value [email protected]
      2021-05-28 14:06:11.057 DEBUG [http-nio-8080-exec-2][AttributeUserFieldExpressionResolver:72] Resolving user with user field expression: uuid
      2021-05-28 14:06:11.057 DEBUG [http-nio-8080-exec-2][DefaultUserResolver:223] User identifier expression is mapped to SAML attribute value "4afce356-f7ac-de15-ab1b-3cfec10a7f4e"
      2021-05-28 14:06:11.060 DEBUG [http-nio-8080-exec-2][DefaultUserFieldExpressionHandler:145] com.liferay.portal.kernel.exception.NoSuchUserException: No User exists with the key {uuid=4afce356-f7ac-de15-ab1b-3cfec10a7f4e, companyId=41581}
      com.liferay.portal.kernel.exception.NoSuchUserException: No User exists with the key {uuid=4afce356-f7ac-de15-ab1b-3cfec10a7f4e, companyId=41581}
      	at com.liferay.portal.service.persistence.impl.UserPersistenceImpl.findByUuid_C_First(UserPersistenceImpl.java:878) ~[portal-impl.jar:?]
      	at com.liferay.portal.service.base.UserLocalServiceBaseImpl.getUserByUuidAndCompanyId(UserLocalServiceBaseImpl.java:505) ~[portal-impl.jar:?]

      SAMLPeerBinding table records:


        Issue Links



              brian.chan Brian Chan
              gabor.lovas Gábor Lovas
              Kiyoshi Lee Kiyoshi Lee
              Stian Sigvartsen Stian Sigvartsen
              0 Vote for this issue
              1 Start watching this issue


                1 year, 17 weeks, 6 days ago


                  Version Package
                  7.4.1 CE GA2 DXP 7,4
                  7.4.13 DXP GA1