SSO in Liferay DXP using SAML

thumbnail
Sandeep Sapra
Published Date6 Years Ago - 23225 Views

Introduction

Liferay Digital Experience Platform (DXP) provides feature to integrate with Corporate Single Sign on Server (SSO). SAML can be used to establish the same.  This article laid down the general steps required for the SSO configuration, where in Liferay DXP which will act as Service Provider and will establish SSO with Identity Server. Below steps are described with the self-signed certificate but based on the requirement signed certificate from certified authority can also be used.

Pre-requisites

1.       Single Sign On (SSO) Server – Identity Server

2.       Liferay DXP Set up in place

a.       Installation of Java and JDK

b.      Installation and configuration of Database (e.g. MySQL/ MS SQL/Postgres etc.)

c.       Set Environment Variable

Implementation Steps

1) Liferay DXP SAML Plugin: We will need Liferay DXP SAML Plugin which is available in the marketplace. Download SAML Plugin (lkpg format) from the marketplace and deploy SAML Plugin in Liferay.

URL to Download:  https://web.liferay.com/marketplace/-/mp/application/15188711

2) Generate Keystore :  Create keystore with keytool command that is available with JDK. We can either used self-signed certificate.

Run the following command: keytool -genkeypair -keyalg RSA -alias liferayselfsigned -keystore keystore.jks -storepass pass1234 -validity  360  -keysize  2048

This will generate keystore.jks file. Make sure you create the file under the directory which is accessible by Liferay.

3) Export Liferay Server Certificate

Once the keystore.jks file is generated, we need to export the Liferay certificate.  This certificate is generated so it can be imported in SSO Server and with this SSO Server and Liferay DXP server will have a handshake.

Run the following command to export the certificate: keytool –exportcert –alias liferayselfsigned –file exportasialiferaycertificate.cer –keystore keystore.jks

4) Import Identity Provider/Single Sign On Server Certificate

Identity server will be required to be imported in Liferay.

Run the following command to import the certificate: keytool -importcert -alias ssoselfsigned -file sso-certificate.cer -keystore keystore.jks

After running the above command the existing keystore.jks will be updated with SSO Server Certificate.

5) Metadata Configuration

Identity Server will have to generate a metadata XML file. This metadata file needs to be store on the VM where we have Liferay DXP Installed. Place the XML file at a location which is accessible by Liferay DXP Server. (Metadata file name for e.g.:  metadata.xml)

6) SAML Configuration in Liferay

Now we need to configure the SAML Plugin. We can configure the same using the configuration in portal-ext.properties (which is placed at /liferay-dxp/tomcat-8.0.32/webapps/ROOT/WEB-INF/classes)

Following are the configurations required in portal-ext.properties:

saml.enabled=true

saml.role=sp

saml.entity.id=liferayselfsigned

saml.metadata.paths=/home/saml/metadata.xml

# Keystore #

saml.keystore.type=jks

saml.keystore.path=/home//saml/keystore.jks

saml.keystore.password=password

saml.keystore.credential.password[liferayselfsigned]=pass1234

# # Service Provider #

saml.sp.default.idp.entity.id=entityid

saml.sp.sign.authn.request=true

saml.sp.assertion.signature.required=false

saml.sp.clock.skew=3000

saml.sp.session.keepalive.url=http://[host:port]/portal/saml/idp/keepalive

saml.sp.user.attribute.mappings=screenName=uid\nemailAddress=mail\nfirstName=firstName\nlastName=lastName

7) Restart: Restart the Liferay once to make all the changes are reflected and perform the SSO testing.

 

Checklist/ Considerations for SSO Integration:       

  1. User Provisioning: User provisioning is required in Liferay DXP before performing any testing for SSO Integration
  2. Accessibility:  Make sure Liferay DXP and SSO Server should be able to access each other.
  3. Information required for  SSO Server/Identity Server:  

           a) Liferay Exported Certificate as demonstrated in Installation Steps  

           b) Liferay SAML Consumer Assertion URL : http://server:port/c/portal/saml/acs.  This is required to be                              configured on the Identity Server end.

      4.  Information required for Liferay DXP Server: When configuration is required on Liferay 7 server then SAML metadata file will from the Identity Server.  It should be made sure that entityID="entityId" given in the metadata file is what which will be configured in the Liferay portal-ext.properties file.

Comment (7)

More Blog Entries

thumbnail

Hidden Features of Liferay Faces: The nativeWhenMobile attribute of alloy:inputDate and alloy:inputTime

thumbnail
Kyle Joseph Stiemann
26 Sep
0
thumbnail

Getting changes into production safely and quickly with continuous delivery (I)

thumbnail
Eduardo P. Garcia
02 Oct
0
Blogs
thumbnail
Mika Koivisto
6 Years Ago
Please don't use that approach to configure the plugin. Liferay has SAML admin UI which makes configuring it easier and less error prone.
Please sign in to reply.
Saikat Sadhu Mika Koivisto
6 Years Ago
SAML UI is not helping with Azure AD certificates. Neither this documentation helps as there is no option in Azure to import Liferay Cert.
Please sign in to reply.
Bobby r
4 Years Ago - Edited

Could some one please help me with the issue i am facing with SAML integration with liferay for OKTA single sing on? As part of our requirement, we need to implement OKTA single sign on for our liferay application, I followed couple of documents online and was successfully able to integrate OKTA with my liferay application, by providing IDP and SP settings . Right now we are using custom auto login hook for the login purpose.  And my requirement here is, I need to capture the initial SAML response from IDP, And based upon certain attributes i need to assign certain roles to the user login through OKTA before redirecting to the main page, But my issue here is, I am not able to capture the SAML response sent to c/portal/saml/acs by IDP , Could some one please able to help me to capture the saml response and set that resposne to the request parameters before redirecting ?

Please sign in to reply.