Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-32577

As a portal administrator, I would like to be able add users inherited roles as SAML attribute statements

Details

    Description

      Currently administrator can include roles directly assigned to the user but not inherited roles.

      1. Set up two instances of SAML, one as IdP and the other as SP. For configuration, see: https://www.liferay.com/group/customer/knowledge/kb/-/knowledge_base/article/40556658#use-case2
      2. On the IdP machine, go to Admin > Control Panel > SAML Admin > SP Connection and edit the SP connection added from step 1
      3. In the Attributes panel, check the 'Attributes Enabled' checkbox and in the Attributes form enter 'siteRoles' (see screenshot) and Save.
      4. In Admin > Server Administration > Log Levels > Add Category, add 'com.liferay.saml' with a logging of DEBUG
      5. Create a site role called 'TestSiteRole'
      6. Create a new Site
      7. Create a new User Group
      8. Edit the Site > Site Memberships > User Groups and assign the User Group to the site
      9. Edit the Site > Site Memberships > Add Site Roles to > User Groups and assign the 'TestSiteRole' to the the User Group
      10. Edit user 'test test' and assign both the Site and User Group to the user.
      11. Assert that the user now has TestSiteRole in the
      12. Log out of both the IdP and SP
      13. On the SP machine, do a SP initiated SSO (Click the Sign In button)
      14. On the IdP machine, assert in the console logs that the inherited role 'TestSiteRole' displays:
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestSiteRole</saml2:AttributeValue>
      

      Full DEBUG log level from com.liferay.saml from the IdP machine:

      23:46:10,482 DEBUG [http-bio-8080-exec-9][BaseProfile:382] Sending SAML message <?xml version="1.0" encoding="UTF-8"?>_<saml2p:Response Destination="http://www.able.com:9080/c/portal/saml/acs" ID="_e5b14035d7dabc8a261467d99f1ecafe759c270c" IssueInstant="2015-03-03T23:46:10.458Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">samlidp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_969f4ce202b397b8cf31eedf2e7f538479b6a93e" IssueInstant="2015-03-03T23:46:10.458Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>samlidp</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2015-03-04T00:16:10.458Z" Recipient="http://www.able.com:9080/c/portal/saml/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-03-03T23:46:10.458Z" NotOnOrAfter="2015-03-04T00:16:10.458Z"><saml2:AudienceRestriction><saml2:Audience>samlsp</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-03-03T23:46:10.458Z" SessionIndex="_f5f9ad8b423553b5f8f90a6e32dbbaf3fc67a280ed865f9c43a3651c563c"><saml2:AuthnContext><saml2:AuthnContextCla
      ssRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="urn:liferay:siteRole:&lt;?xml version='1.0' encoding='UTF-8'?>&lt;root available-locales=&quot;en_US&quot; default-locale=&quot;en_US&quot;>&lt;Name language-id=&quot;en_US&quot;>Guest&lt;/Name>&lt;/root>" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestSiteRole</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:liferay:siteRole:&lt;?xml version='1.0' encoding='UTF-8'?>&lt;root available-locales=&quot;en_US&quot; default-locale=&quot;en_US&quot;>&lt;Name language-id=&quot;en_US&quot;>SamlSite&lt;/Name>&lt;/root>" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Site Owner</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TestSiteRole</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response> to http://www.able.com:9080/c/portal/saml/acs with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST [Sanitized]
      

      Attachments

        Activity

          People

            albert.lee Albert Lee (Inactive)
            mika.koivisto Mika Koivisto (Inactive)
            Kiyoshi Lee Kiyoshi Lee
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Packages

                Version Package
                7.0.0 M5