Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Users without Admin role cannot initiate SSO on the SP when using expando fields

Written By

Aaron Wang

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • When using expando field as "Name Identifier Attribute Name=expando:concurid", user without Administrator role can not initiate SSO. Steps to reproduce:
    • On IdP end
      1. Add a custom field 'field1' for user. 
      2. Go to SAML Admin > Service Provider Connections, make sure the "Name Identifier Format=Persistent", "Name Identifier Attribute Name=expando:field1".
      3. Change the Authenticate Method to "Screen Name" in the Instance settings.
    • On SP end
      1. go to SAML Admin > Service Provider Connections. Make sure "Name Identifier Format=Persistent"
      2. Change the Authenticate Method to "Screen Name" in the Instance settings.
    • In the case that SP initiated SSO, if current user does not have Administrator role, there will be UI error "Unable to process SAML request"and the following error is reported in log 
      2021-01-29 02:32:24.451 ERROR [http-nio-8080-exec-2][BaseSamlStrutsAction:59] Screen name must not be null for user 36220
    • When checking the SAML response, the value "null" can be observed. 
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">null</saml2:NameID>

Environment

  • Liferay DXP 7.1

Resolution

  • The issue is caused by the User does not have permission to read the custom field value so the screen name comes across as null. 
  • To Resolve the issue, grant 'User' role expando field "View" permission using the following steps:
    1. Go to Control Panel > Configuration > Custom Fields > User
    2. Edit the permissions to your customized expando field and add the "View" permission to the User role
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?