1. Home
  2. Development
  3. SAML / User 0 is not allowed to access URL and Login Porlet

SAML / User 0 is not allowed to access URL and Login Porlet

thumbnail
Parth Ghiya, modified 7 Years ago.
SAML / User 0 is not allowed to access URL and Login Porlet
Junior Member Posts: 35 Join Date: 7/2/13 Recent Posts

Greetings All, 

We have Liferay setup as IDP and have configured another system as SP. The Login scenarios work perfectly.

What Works

  1. I Hit Service provider's page and i am able to see IDP Login Page (Liferay's login page)

  2. When i login in IDP and visit SP, i dont need to login again in service provider.

Now problem occurs in logging out part. Lets say i Login IDP and visit SP's page and when i logout from IDP then an error comes at backend

2018-09-26 14:44:32.672 DEBUG [default task-73][BaseMessageDecoder:130] Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
2018-09-26 14:44:32.672 DEBUG [default task-73][BaseSAMLSimpleSignatureSecurityPolicyRule:64] Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
2018-09-26 14:44:32.672 DEBUG [default task-73][BaseSAMLSimpleSignatureSecurityPolicyRule:87] HTTP request was not signed via simple signature mechanism, skipping
2018-09-26 14:44:32.673 ERROR [default task-73][MandatoryAuthenticatedMessageRule:37] Inbound message issuer was not authenticated.
2018-09-26 14:44:32.673 ERROR [default task-73][BaseSamlStrutsAction:54] com.liferay.saml.runtime.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
com.liferay.saml.runtime.SamlException: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.

However i am able to logout from IDP. But i am not able to login again in IDP, whenever i try to do so i always get error

 User 0 is not allowed to access URL https://<whaterver-url>/web/guest/employee-login and portlet com_liferay_login_web_portlet_LoginPortlet

Until and unless i clear the cookies i am not able to login again.

I figured out the issue in one cookie, so once i visit SP's page i have two JSessionIds one with domain my.production.url.com and another with .my.production.url.com, now when i delete .my.production.url.com manually and try logging again, i am able to login in the second attempt.

Can any one help me out.

thumbnail
David H Nebinger, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Liferay Legend Posts: 14933 Join Date: 9/2/06 Recent Posts

What version, Parth?  I know someone on my team was having issues w/ SAML under 7.1; we convinced them to stand everything up under 7.0 to see if it was a version thing, and that's how it turned out.  I believe they opened support tickets and then stayed with 7.1.

thumbnail
Parth Ghiya, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Junior Member Posts: 35 Join Date: 7/2/13 Recent Posts

Hi David,
Its Liferay 7 GA 4 with service pack 52 !

thumbnail
David H Nebinger, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Liferay Legend Posts: 14933 Join Date: 9/2/06 Recent Posts

And the latest SAML marketplace plugin too, I assume?

thumbnail
Parth Ghiya, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Junior Member Posts: 35 Join Date: 7/2/13 Recent Posts

Yes David, the one compatible with Liferay 7

thumbnail
Minhchau Dang, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Liferay Master Posts: 598 Join Date: 10/22/07 Recent Posts
Parth Ghiya:

I figured out the issue in one cookie, so once i visit SP's page i have two JSessionIds one with domain my.production.url.com and another with .my.production.url.com, now when i delete .my.production.url.com manually and try logging again, i am able to login in the second attempt.

Have you tried setting session.cookie.use.full.hostname=true in portal-ext.properties?

thumbnail
Parth Ghiya, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Junior Member Posts: 35 Join Date: 7/2/13 Recent Posts

I did try setting that, but couldn't observe the same change !!

thumbnail
Minhchau Dang, modified 7 Years ago.
RE: SAML / User 0 is not allowed to access URL and Login Porlet
Liferay Master Posts: 598 Join Date: 10/22/07 Recent Posts
Parth Ghiya:

I did try setting that, but couldn't observe the same change !!

Are you saying that, after setting that property on both servers, you still see two cookies with different domain names?