Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-135008

Specific attribute mapping displays sensitive information

    Description

    Requirement:
    Have an already working SAML link between an IdP and an SP, with a user present in both!

    Steps to reproduce:

    1. In IdP make sure firstName and lastName are not sent towards SP!
    2. In IdP make sure reminderQueryQuestion and reminderQueryAnswer are sent towards SP!
    3. In SP add the following mapping: User Field Expression is firstName, and SAML attribute is reminderQueryQuestion
    4. In SP add the following mapping: User Field Expression is lastName, and SAML attribute is reminderQueryAnswer
    5. Log in with a user

    Actual result:
    User logs is and its reminder question and answer is displayed as its first and last name

    Expected result:
    Either sending these attributes is blocked on IdP side, or their mapping is blocked on SP side, yet another solution can be to store the hashed value of reminderQueryAnswer.

    Reproduced on:
    Tomcat 9.0.43 + MySQL 8.0.25 | Portal master DXP GIT ID: 880952a2ef107ca6d98c9988da04a18fd51b5a55

    Notes:
    Encrypted password can also be mapped and displayed this way.
    Snippet attached!

    cc:Zsigmond Rab

      Attachments

        Issue Links

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            ferenc.onodi Ferenc Onodi (Inactive)
            Participants of an Issue:
            Recent user:
            Rafaela Nascimento
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Days since last comment:
              1 year, 5 weeks, 3 days ago

                Packages

                Version Package