Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Unable to process SAML SSO request

Written By

Sivakumar Perumal

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

After configuring SAML SSO successfully, the user is unable to perform login and getting the following error in UI and Server console.

UI Error: 
"Unable to process SAML request"

image.png

Server Console: 
ERROR [http-nio-8080-exec-1][MandatoryAuthenticatedMessageRule:37] Inbound message issuer was not authenticated. 
ERROR [http-nio-8080-exec-1][BaseSamlStrutsAction:58] org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.

Environment

  • Liferay 7.1

Resolution

The above error will come when the response from the IDP is not signed wherein, Liferay allows authentication only when the response from IDP is signed.

  • Solution 1(Highly recommended):
    Need to get the signed response from IDP to avoid the above error and to ensure successful authentication
  • Solution 2(Optional):
    Achieving by customization through creating a plugin wherein it should bypass the signature verification in SAML.
    Disclaimer: This may lead to a security issue

Additional Information

  • If Liferay allows the authentication with an unsigned response from IDP, this may lead to a security issue wherein any MiM(Middle Men) could easily temper the response from the IdP and send it to the SP(Liferay) and since the response is not signed, SP will not be able to recognize whether the response is coming from IdP or from somewhere else.
  • Ref: LPS-47700
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?