Foros de discusión

  1. Inicio
  2. Development
  3. Liferay SAML SP with SSL issue

Liferay SAML SP with SSL issue

thumbnail
Sandeep Nair, modificado hace 8 años.

Liferay SAML SP with SSL issue

Liferay Legend Mensajes: 1744 Fecha de incorporación: 6/11/08 Mensajes recientes
When SAML SP is enabled for Liferay with SSL, after authenticating in IdP, Liferay throws an error saying "Request was required to be secured but was not". I checked open saml code as to where this error is coming from. Apparently it seems that whenever sslrequired option is enabled, it also checks whether transport is confidential or not. If transport is not confidential, then I am getting the above error. Following is the snippet in HttpRule class of opensaml after decompiling.

protected void evaluateSecured(HTTPTransport transport)
    throws SecurityPolicyException
  {
    if ((this.requireSecured) && (!transport.isConfidential()))
    {
      this.log.error("Request was required to be secured but was not");
      throw new SecurityPolicyException("Request was required to be secured but was not");
    }
  }

Is there anything on liferay SP side that I need to do in order to make sure that transport.isConfidential evaluates to true? Or is this something IdP has to take care of?

Note, we dont have problem with http protocol.

For https, we made sure that the metadata is generated accessing the https url of liferay and we also have checked isSSLRequired flag to true in SP configuration from Control panel. We also made sure that web.server.protocol is https.
thumbnail
Sandeep Nair, modificado hace 8 años.

RE: Liferay SAML SP with SSL issue

Liferay Legend Mensajes: 1744 Fecha de incorporación: 6/11/08 Mensajes recientes
I debugged SAML code, and I see that request.isSecure always returns false as expected since my application server is on http and web server is having https. Now I have a doubt that how would internal opensaml classes resolve request to be secure, since all the opensaml classes accepts request as parameter and it uses request.isSecure to find whether request is secure or not. It never uses web.server.protocol. So how will it work? There is no request wrapper that I where i expect isSecure method to be overrided return true in case of web.server.protocol property being set.
thumbnail
Lalit Jugran, modificado hace 7 años.

RE: Liferay SAML SP with SSL issue

Junior Member Mensajes: 33 Fecha de incorporación: 25/07/10 Mensajes recientes
Hi Sandeep,

Have you got success to resolve this issue?
Actually I want to make saml cookie(SAML_SP_SESSION_KEY) secured. My environment is running on https & the whole OKTA+Liferay SAML flow is working fine.
Is there any configuration which is responsible for making this cookie secured?

I also tried the property "SSL Required" checked in the control panel, but faced the exception "Request was required to be secured but was not".

Thanks in advance!!!
Lalit