Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-133379

Empty User attribute field can be saved for User Matching at SP site's IDP connection form

    Details

    • Fix Priority:
      3

      Description

      Summary
      An empty SAML Attribute field could be selected and saved to use for user matching.
      Obviously, it will cause the user match to fail.

      Reproduction steps

      1. Have 2 portal running with IdP and SP SAML role according to the documentation: 7.4-SAML-S1-S4
      2. Login to Identity Provider (localhost:8080) as Instance Admin
      3. Go to Control Panel / USERS / Users and Organization
      4. Define a new End User as [email protected] / test
      5. Login to SP (www.able.com:8080) as Instance Administrator
      6. Go to Control Panel / Security / SAML
      7. Switch to Identity Provider Connections tab
      8. Open the IP1 connection's settings
      9. Scroll down to Attribute Mapping
      10. Remove all fields
      11. Select " Match Using a Specific SAML Attribute Mapping " at User Resolution
      12. Select the empty User Field Expression row and mark it as "Use to Match Users"
      13. Save the form
      14. Logout as Instance administrator from SP
      15. Try to sign in to SP using [email protected] / test

      Actual results
      The End User's login fails

      Expected results
      The Identity Provider Connection form shouldn't allow saving if the Match Using a Specific SAML Attribute Mapping option is selected, and there are only empty Attribute Mapping fields are marked as "Use to Match Users".

      Screenshot

      Log

      2021-06-01 13:50:28.422 DEBUG [http-nio-8080-exec-4][WebSsoProfileImpl:809] SAML authenticated user [email protected]
      2021-06-01 13:50:28.423 DEBUG [http-nio-8080-exec-4][DefaultUserResolver:80] Resolving user with name ID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and value [email protected]
      2021-06-01 13:50:28.423 DEBUG [http-nio-8080-exec-4][AttributeUserFieldExpressionResolver:72] Resolving user with user field expression:
      2021-06-01 13:50:28.424 DEBUG [http-nio-8080-exec-4][WebSsoProfileImpl:213] com.liferay.saml.web.internal.exception.UserIdentifierExpressionException: No SAML attribute value mapped for user field expression
      com.liferay.saml.web.internal.exception.UserIdentifierExpressionException: No SAML attribute value mapped for user field expression
      	at com.liferay.saml.web.internal.opensaml.integration.field.expression.resolver.AttributeUserFieldExpressionResolver.resolveUserFieldExpression(AttributeUserFieldExpressionResolver.java:78) ~[bundleFile:?]
      	at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver._importUser(DefaultUserResolver.java:235) ~[bundleFile:?]
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              gabor.lovas Gábor Lovas
              Participants of an Issue:
              Recent user:
              Gábor Lovas
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                24 weeks, 4 days ago

                  Packages

                  Version Package
                  Master