Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-54534

Enable SAML plugin to be able to handle multiple virtual hosts

    Details

      Description

      One of our Customers would like to use our SAML plugin with multiple virtual hosts. Currently it seems that the plugin is unable to do so, that's why I would like to ask for this feature to be implemented in future versions.

      Technical details:

      a) The problem:

      The SAML metadata for the SP that is generated by Liferay will only contain the AssertionConsumerService tag of the main portal virtual host:

      <md:EntityDescriptor>
      ...
      <md:SPSSODescriptor>
      ...
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.domain.com/c/portal/saml/acs" index="1" isDefault="true" />
      ...
      </md:SPSSODescriptor>
      </md:EntityDescriptor>
      

      The class com.liferay.saml.metadata.MetadataGeneratorUtil.java has the responsible method, buildSpSsoDescriptor for building the SP metadata XML. It only adds a single item to the list of ACSs, which it constructs from the portalURL.

      b) The relevant code snippet:

      public static SPSSODescriptor buildSpSsoDescriptor(
      		HttpServletRequest request, String entityId,
      		boolean signAuthnRequests, boolean requireSSL,
      		boolean wantAssertionsSigned, Credential credential)
      	throws Exception {
      
      		SPSSODescriptor spSsoDescriptor = OpenSamlUtil.buildSpSsoDescriptor();
      ...
      	List<AssertionConsumerService> assertionConsumerServices =
      		spSsoDescriptor.getAssertionConsumerServices();
      
      	String portalURL = PortalUtil.getPortalURL(request, requireSSL);
      	String pathMain = PortalUtil.getPathMain();
      
      	AssertionConsumerService assertionConsumerService =
      		OpenSamlUtil.buildAssertionConsumerService(
      			SAMLConstants.SAML2_POST_BINDING_URI, 1, true,
      			portalURL.concat(pathMain).concat("/portal/saml/acs"));
      
      	assertionConsumerServices.add(assertionConsumerService);
      

      c) Fix proposed by the Customer:

      The method should enumerate all the sites which have a Virtual Hosted domain set up in their configuration and expose them as separate ACS items in the SAML XML with a different index and isDefault attribute:

      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.domain.com/c/portal/saml/acs" index="1" isDefault="true" />
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://site1.domain.com/c/portal/saml/acs" index="2" isDefault="false" />
      ...
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://siteN.domain.com/c/portal/saml/acs" index="N" isDefault="false" />
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              laura.li Laura Li
              Reporter:
              tamas.zoboki Tamas Zoboki (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package