Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

SSO SP connection doesn't send unauthenticated users to /c/portal/login

Written By

Debora Vita

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Once we setup a SAML SP connection, the SAML adapter doesn't recognize unauthenticated users and redirect them to /c/portal/login

Environment

  • DXP 7.4

Resolution

  • This is intended behavior with the “Prompt Enabled” flag unchecked (unchecked by default). 
    To change this behavior, please enable “Prompt Enabled” on the SP site by doing the following:
     
    1. Go to SP site as the admin user
    2. Go to Configuration > Site Settings > Login
    3. Check the “Prompt Enabled” box.

    It’s very important to note the description of this feature:

    Set this to true to prompt a guest user to login when attempting to access a protected page resource in the portal. By setting this value to false, the portal will inform all users that a requested resource is not found if they have no entitlements to view the resource. The portal will not prompt for login even if the user is a guest user. This behavior complies with OWASP best practices.

    The last sentence is most important; although you can enable the prompt, you should do so with caution, as it will allow outside users to determine private pages. Basically, if there is a valid private page, the user will be redirected, so malicious users can determine private page names.

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?