Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-133379

Empty User attribute field can be saved for User Matching at SP site's IDP connection form

    XMLWordPrintable

Details

    • 3

    Description

      Summary
      An empty SAML Attribute field could be selected and saved to use for user matching.
      Obviously, it will cause the user match to fail.

      Reproduction steps

      1. Have 2 portal running with IdP and SP SAML role according to the documentation: 7.4-SAML-S1-S4
      2. Login to Identity Provider (localhost:8080) as Instance Admin
      3. Go to Control Panel / USERS / Users and Organization
      4. Define a new End User as [email protected] / test
      5. Login to SP (www.able.com:8080) as Instance Administrator
      6. Go to Control Panel / Security / SAML
      7. Switch to Identity Provider Connections tab
      8. Open the IP1 connection's settings
      9. Scroll down to Attribute Mapping
      10. Remove all fields
      11. Select " Match Using a Specific SAML Attribute Mapping " at User Resolution
      12. Select the empty User Field Expression row and mark it as "Use to Match Users"
      13. Save the form
      14. Logout as Instance administrator from SP
      15. Try to sign in to SP using [email protected] / test

      Actual results
      The End User's login fails

      Expected results
      The Identity Provider Connection form shouldn't allow saving if the Match Using a Specific SAML Attribute Mapping option is selected, and there are only empty Attribute Mapping fields are marked as "Use to Match Users".

      Screenshot

      Log

      2021-06-01 13:50:28.422 DEBUG [http-nio-8080-exec-4][WebSsoProfileImpl:809] SAML authenticated user [email protected]
2021-06-01 13:50:28.423 DEBUG [http-nio-8080-exec-4][DefaultUserResolver:80] Resolving user with name ID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and value [email protected]
2021-06-01 13:50:28.423 DEBUG [http-nio-8080-exec-4][AttributeUserFieldExpressionResolver:72] Resolving user with user field expression:
2021-06-01 13:50:28.424 DEBUG [http-nio-8080-exec-4][WebSsoProfileImpl:213] com.liferay.saml.web.internal.exception.UserIdentifierExpressionException: No SAML attribute value mapped for user field expression
com.liferay.saml.web.internal.exception.UserIdentifierExpressionException: No SAML attribute value mapped for user field expression
	at com.liferay.saml.web.internal.opensaml.integration.field.expression.resolver.AttributeUserFieldExpressionResolver.resolveUserFieldExpression(AttributeUserFieldExpressionResolver.java:78) ~[bundleFile:?]
	at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver._importUser(DefaultUserResolver.java:235) ~[bundleFile:?]

      Attachments

        Issue Links

          Discovered while testing

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. LPS-123218 As an Instance Administrator, I want to use the UUID to sync users with an IdP

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              support-lep@liferay.com SE Support
              gabor.lovas Gábor Lovas
              Kiyoshi Lee Kiyoshi Lee
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                1 year, 33 weeks, 4 days ago

                Packages

                  Version Package
                  Master