Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

The behavior of bypassing SAML SSO has changed

Written By

Kanchan Bisht

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • There is a use case in which a subset of users are meant to bypass SAML SSO and login directly to the Liferay SP. On Liferay 7.2 dxp-8, users successfully used the following URL to achieve this:

    https://pilots.up.edu/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=false&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_redirect=%2Fgroup%2Ftest

    Users noted that after updating to the dxp-10 fix pack, the behavior has changed and now the above URL kicks off the SSO redirect.

    Steps to Reproduce:
    1. Set up two Liferay 7.2 dxp-10 instances for SAML IdP and SP
    2. On the SP, add a Private page 'pp'
    3. In Control Panel > Instance Settings > Instance Configuration > General > change Home URL to /group/guest/pp
    4. Sign out, and use the following URL to bypass SSO (note: localhost:7080 is the SP in the test case):

    http://localhost:7080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=false&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_redirect=%2Fgroup%2Fguest%2Fpp

    Expected Behavior: SSO is bypassed and the user is able to log in directly to SP
    Observed Behavior: SSO is initiated and redirects to IdP occurs

Environment

  • Liferay DXP 7.2 with Fix Pack 10

Resolution

  • The expected behavior happens on Liferay dxp-8, therefore these fixes could be related to the change in behavior: LPS-121766 and LPS-98456
  • However, eliminating the last section of the URL is a workaround that can be provided here: 
    &_com_liferay_login_web_portlet_LoginPortlet_redirect=%2Fgroup%2Fguest%2Ftest
    It appears to allow skipping the SSO login, and the user gets forwarded to the desired private page if the Default Landing Page is configured to that page.
  • Users can implement customization for the subset of users that need to be redirected to the private page. The way to do this is to create a component for the property "key=login.events.post" and have those users be redirected to the desired page after logging in with the URL:
     
    https://pilots.up.edu/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=false&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin

Additional Information

  • The customer might use the following component to implement the logic to redirect those users 
    @Component(
immediate = true, 
property = { "key=" + PropsKeys.LOGIN_EVENTS_POST }, 
service = LifecycleAction.class)

public class LoginPostAction implements LifecycleAction {
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?