Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-79640

SAML-plugin: invalid metadata when entityID contains URL characters

    Details

      Description

      Using the SAML plugin, if you use URL characters in the entityID like : or /, the resultant generated metadata (on /c/portal/saml/metadata) will become XSD-invalid.
      This is due to the fact that the SAML plugin reuses the EntityID directly as ID-attribute for the element SPSSODescriptor.
      In MetadataGeneratorUtil.java:177:

      		spSsoDescriptor.setID(entityId);
      

      Steps to reproduce:

      • Use Liferay DXP FP44 or any older version, or Liferay Portal 6.2 EE
      • Download and install the SAML plugin from the marketplace
        • Reproduced with Liferay Connector to SAML 2.0 3.1.0, 2.1.2, 1.0.3
      • Go to SAML Admin control panel portlet
      • Configure as an SP
      • Use as the EntityID https://my-valid-entity-id
      • Configure an IDP (dummy or whatever)
      • Save
      • Tick 'Enable SAML' on first tab
      • Download metadata from /c/portal/saml/metadata
      • Run the XML through https://www.samltool.com/validate_xml.php with XSD type: Metadata
      • Expected: Validation passing
      • Observed: Validation failed

      Review the generated SPSSODescriptor element, especially the ID attribute. This is identical to the EntityID. According to the XSD, this ID attribute is of type xsd:ID, therefore allowing no special chars.
      As this ID attribute in the metadata is optional, Liferay could just as well leave it out?

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 1 week, 5 days ago

                  Packages

                  Version Package
                  7.1.X
                  7.2.X
                  Master