Affects Version/s: 6.1.30 EE GA3, 6.2.0 CE M4
Fix Version/s: 7.0.0 M5
Currently administrator can include roles directly assigned to the user but not inherited roles.
- Set up two instances of SAML, one as IdP and the other as SP. For configuration, see: https://www.liferay.com/group/customer/knowledge/kb/-/knowledge_base/article/40556658#use-case2
- On the IdP machine, go to Admin > Control Panel > SAML Admin > SP Connection and edit the SP connection added from step 1
- In the Attributes panel, check the 'Attributes Enabled' checkbox and in the Attributes form enter 'siteRoles' (see screenshot) and Save.
- In Admin > Server Administration > Log Levels > Add Category, add 'com.liferay.saml' with a logging of DEBUG
- Create a site role called 'TestSiteRole'
- Create a new Site
- Create a new User Group
- Edit the Site > Site Memberships > User Groups and assign the User Group to the site
- Edit the Site > Site Memberships > Add Site Roles to > User Groups and assign the 'TestSiteRole' to the the User Group
- Edit user 'test test' and assign both the Site and User Group to the user.
- Assert that the user now has TestSiteRole in the
- Log out of both the IdP and SP
- On the SP machine, do a SP initiated SSO (Click the Sign In button)
- On the IdP machine, assert in the console logs that the inherited role 'TestSiteRole' displays:
Full DEBUG log level from com.liferay.saml from the IdP machine: