Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-73089

It is possible to lock out all user with an incomplete SAML configuration

    Details

      Description

      Using the SAML admin portlet...

      1. On the "General" tab select "Service Provider" role and enter Entity ID as "provider1". Press save
      2. The certificate form is now visible, enter any details into the mandatory fields. Press save.
      3. Switch to the "Identity Provider Connection" tab and enter any valid details. Press save
      4. Switch back to the "General" tab and tick the Enabled checkbox. Press save
      5. Assert that SSO login is now possible (with a different browser for example)
      6. Change the Entity ID to "provider2" whilst leaving the Enabled checkbox ticked

       Expected: SSO login is still working, or disabled

       Actual: SSO login fails. HTTP response is blank page, logs shows NPE

      The reason why this fails is because the state of Enabled is carried across whereas no valid certificate can be retrieved from the KeyStore with alias equal to "provider2"

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 18 weeks, 1 day ago

                Packages

                Version Package
                7.0.X EE