-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.2.X EE, 7.0.X, Master
-
Component/s: Application Security > SAML
-
Labels:
-
Branch Version/s:7.0.x, 6.2.x
-
Backported to Branch:Committed
-
Story Points:1.5
-
Fix Priority:3
-
Git Pull Request:
Steps to reproduce/Testing done
- Setup 2 Liferay instances, one designed to be IDP and another to be SP
- Start both Liferay intances
- Deploy the SAML plugin in both instances
- On the IDP, setup a proxy server to access Liferay with the /portal path and add the following to your portal-ext
portal.proxy.path=/portal - Restart the IDP
- Setup both IDP and SP for SAML, pointing to the IDP's proxy as expected
- Attempt to login via SAML from the SP
- Receive the following error:
17:05:12,628 ERROR [http-bio-8081-exec-10][BaseSamlStrutsAction:45] com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint com.liferay.saml.SamlException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:146) at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil.java:43) at com.liferay.saml.hook.action.WebSsoAction.doExecute(WebSsoAction.java:38) at com.liferay.saml.hook.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:42) at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67) at com.sun.proxy.$Proxy535.execute(Unknown Source) at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:168) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:557) at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:534) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.uploadservletrequest.UploadServletRequestFilter.processFilter(UploadServletRequestFilter.java:93) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:361) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:123) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:308) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169) at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:226) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:185) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738) at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:57) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:165) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:165) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:185) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:119) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:217) at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72) at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:88) at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.java:346) at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileImpl.java:383) at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl.java:136) ... 93 more