Liferay SAML SP Requirements

Liferay SAML SP Requirements

Just a quick post today...

Helped a client who was getting a message in the logs after configuring the SAML SP in Liferay using an ADFS IdP:

Caused by: org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
        at org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule.evaluate(MandatoryAuthenticatedMessageRule.java:38)
        at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
        ...

Kind of a cryptic message, doesn't really say much about what the real problem is or how to fix it.

Long story short, Liferay's SAML SP module requires that both the SAML assertions and the message are signed.

ADFS defaults to signing only the assertions, not the message. So when Liferay's SAML receives the unsigned message, you get the cryptic message above.

So, in case this happens to you, remember the following:

Liferay's SAML SP requires that both SAML assertions and messages are signed.

 

Blogs