-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.1.20 EE GA2
-
Fix Version/s: 6.1.X EE, 6.2.0 CE B1
-
Labels:None
-
Environment:Liferay EE with SAML Portlet and third-party IDP server
-
Branch Version/s:6.1.x
-
Backported to Branch:Committed
-
Git Pull Request:
I would like to enable signed AuthnRequest messages for the SAML Portlet. I've already set the saml.sp.sign.authn.request property in portal-ext.properties to true and the http://localhost:8080/c/portal/saml/metadata metadata correctly shows <md:SPSSODescriptor AuthnRequestsSigned="true" ...
However, the sent AuthnRequest is still not being signed. I already debugged and found out that the outboundSAMLMessageSigningCredential in the samlMessageContext is correctly set. I think one reason for this problem is that when I click on the Sign In link, the HTTP-Redirect Binding is used which obviously does not support signatures because of the limited URL length.
Hence, I've set the IDP metadata to HTTP-Post in order to force Liferay to use POST binding. However, I get an Exception when I click on Sign In because LR wants to use HTTP-Redirect and this is not allowed anymore due to this changed config. So, on one hand, there seems to be no support for HTTP-POST binding for AuthnRequest, yet. But on the other hand, there is this saml.sp.sign.authn.request property which should enable AuthnRequest signing.
Best Regards from UBL, Neu-Isenburg, Germany.