[LPS-73089] It is possible to lock out all user with an incomplete SAML configuration - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.2.X EE, 7.0.X EE
Fix Version/s: 7.0.X EE
Component/s: Application Security > SAML
Labels:
- liferay-saml-2.0-provider-3.1.0

Story Points:
1.5
Fix Priority:
3
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal-ee/pull/17523

Description

Using the SAML admin portlet...

On the "General" tab select "Service Provider" role and enter Entity ID as "provider1". Press save
The certificate form is now visible, enter any details into the mandatory fields. Press save.
Switch to the "Identity Provider Connection" tab and enter any valid details. Press save
Switch back to the "General" tab and tick the Enabled checkbox. Press save
Assert that SSO login is now possible (with a different browser for example)
Change the Entity ID to "provider2" whilst leaving the Enabled checkbox ticked

Expected: SSO login is still working, or disabled

Actual: SSO login fails. HTTP response is blank page, logs shows NPE

The reason why this fails is because the state of Enabled is carried across whereas no valid certificate can be retrieved from the KeyStore with alias equal to "provider2"

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

fixed.png
35 kB
17/Jul/17 3:45 AM

Activity

People

Assignee:: Summer Zhang

Reporter:: id30721

Participants of an Issue:: id30721, Stian Sigvartsen, Summer Zhang

Recent user:: Tibor Lipusz

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 14/Jun/17 6:50 AM

Updated:: 14/Dec/17 12:44 AM

Resolved:: 26/Jun/17 12:01 AM

Days since last comment:: 5 years, 5 weeks ago

Packages

Version	Package
7.0.X EE