Affects Version/s: 6.1.X EE, 6.2.X EE, 7.0.X, Master
Component/s: Application Security > SAML
Using the SAML plugin, if you use URL characters in the entityID like : or /, the resultant generated metadata (on /c/portal/saml/metadata) will become XSD-invalid.
This is due to the fact that the SAML plugin reuses the EntityID directly as ID-attribute for the element SPSSODescriptor.
Steps to reproduce:
- Use Liferay DXP FP44 or any older version, or Liferay Portal 6.2 EE
- Download and install the SAML plugin from the marketplace
- Reproduced with Liferay Connector to SAML 2.0 3.1.0, 2.1.2, 1.0.3
- Go to SAML Admin control panel portlet
- Configure as an SP
- Use as the EntityID https://my-valid-entity-id
- Configure an IDP (dummy or whatever)
- Tick 'Enable SAML' on first tab
- Download metadata from /c/portal/saml/metadata
- Run the XML through https://www.samltool.com/validate_xml.php with XSD type: Metadata
- Expected: Validation passing
- Observed: Validation failed
Review the generated SPSSODescriptor element, especially the ID attribute. This is identical to the EntityID. According to the XSD, this ID attribute is of type xsd:ID, therefore allowing no special chars.
As this ID attribute in the metadata is optional, Liferay could just as well leave it out?