Affects Version/s: 7.0.0 M7
Component/s: Application Security
The SAML portlet mainly handles SAML responses with the status code: urn:oasis:names:tc:SAML:2.0:status:Success
Normally, the Identity Provider would provide back a SAML response to the Service Provider only when the user successfully logs in.
But, there may be some Identity Providers that may allow a user to 'cancel' their login and expect the Service Provider to handle this case.
The SAML response with the status code: urn:oasis:names:tc:SAML:2.0:status:Responder is passed when a user chooses to 'cancel' their login.
Currently, the SAML portlet returns an error message: "Status Unable to process SAML request" when this response is passed to the Service Provider.
Steps to Reproduce
- Setup liferay as both IDP and SP using the steps listed here: https://support-kb.liferay.com/web/knowledge/knowledge-base/-/knowledge_base/article/48803
- Deploy affected SAML portlet to the IDP to emulate a 'cancel' action from IDP during login. (See linked LPP Ticket)
- Restart both IDP and SP Bundles
- Try to log in with IDP-initiated SSO
Actual Result: SAML portlet returns an error message: "Status Unable to process SAML request"
Expected Result: SAML Portlet redirects the user back to the initial page that linked the user to the SSO page.