Foren

  1. Startseite
  2. Development
  3. Single sign on concept in Liferay

Single sign on concept in Liferay

srinivasa rao, geändert vor 9 Jahren.

Single sign on concept in Liferay

Regular Member Beiträge: 189 Beitrittsdatum: 29.01.14 Neueste Beiträge
Hi All,

Any one knows the concept of single sign on concept in liferay?

could any one provide documentation or procedure?i try in wiki pages in liferay,but i m not getting proper documentation.
thumbnail
Jeffrey Paul Handa, geändert vor 9 Jahren.

RE: Single sign on concept in Liferay

Liferay Master Beiträge: 541 Beitrittsdatum: 01.12.08 Neueste Beiträge
Hi Srinivasa,

Please take a look at this article from the Liferay Developer Network: https://dev.liferay.com/discover/portal/-/knowledge_base/6-2/integrating-existing-users-into-liferay
srinivasa rao, geändert vor 9 Jahren.

RE: Single sign on concept in Liferay

Regular Member Beiträge: 189 Beitrittsdatum: 29.01.14 Neueste Beiträge
Thanks jeffrey,

its really helpful.
Alla Sapozhnikova, geändert vor 8 Jahren.

RE: Single sign on concept in Liferay

Junior Member Beiträge: 81 Beitrittsdatum: 02.03.12 Neueste Beiträge
Hi there,

Liferay allows a new user to be added through the GUI. How do I make sure that a user id that is about to be added doesn't exist in the LDAP directory?

Thank you.
Alla
Alla Sapozhnikova, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Junior Member Beiträge: 81 Beitrittsdatum: 02.03.12 Neueste Beiträge
I know that the mass import from LDAP to Liferay option exists. Is there an option to export all Liferay users to LDAP on startup?
thumbnail
Andrew Jardine, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Liferay Legend Beiträge: 2416 Beitrittsdatum: 22.12.10 Neueste Beiträge
Hi Alla,

Out of the box? no. There is an import on startup option (which you probably already found) but not export. The import of startup feature just triggers a message listener that uses methods in the API to start the import process though -- no reason why you can't write a startup hook that does the same thing but going in the other direction.

I guess the question I would have though is -- what is the source of truth for your authentication? If LDAP is your source of truth you should allow users that aren't already in there to be added to Liferay in the first place.
Alla Sapozhnikova, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Junior Member Beiträge: 81 Beitrittsdatum: 02.03.12 Neueste Beiträge
Do you know what will happen to the passwords if I have the hook?

Thank you for your help,
Alla
thumbnail
Andrew Jardine, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Liferay Legend Beiträge: 2416 Beitrittsdatum: 22.12.10 Neueste Beiträge
I'm not sure what you mean. You mean if you take a user from Liferay and shove them into LDAP, will the LDAP record have their Liferay User password? You should really have a look at the portal.properties file and find the 

##
## LDAP
##


section. There you'll see all the different settings with some excellent documentation on what the settings mean and how other settings affect them. For example, you can auto-generate passwords, but the comment for the property explicitly talks about what this means if you export users.

    #
    # Set this to true to autogenerate passwords for users imported from
    # LDAP.
    #
    # This property is only in use if the property
    # "ldap.import.user.password.enabled" is set to false.
    #
    # If an LDAP password policy is enabled (see the property
    # "ldap.password.policy.enabled"), the password will be generated using
    # RegExpToolkit. Set the "auth.pipeline.enable.liferay.check" property to
    # false to disable password checking by the portal's internal authentication
    # (which is not compatible with LDAP), and set the "auth.pipeline.pre"
    # property to com.liferay.portal.security.auth.LDAPAuth so that password
    # checking will be delegated to the LDAPAuth authenticator.
    #
    # Note that enabling LDAP export, by setting the "ldap.export.enabled"
    # property to true, may lead to overwriting the LDAP user's password with an
    # autogenerated password.
    #
    ldap.import.user.password.autogenerated=false
Alla Sapozhnikova, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Junior Member Beiträge: 81 Beitrittsdatum: 02.03.12 Neueste Beiträge
You mean if you take a user from Liferay and shove them into LDAP, will the LDAP record have their Liferay User password?


Yes, basically thsi is what I mean. And is there an option to export all users with passwords from Liferay to LDAP?
thumbnail
Andrew Jardine, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Liferay Legend Beiträge: 2416 Beitrittsdatum: 22.12.10 Neueste Beiträge
Hey Alla,

Yep, you can enable an export which basically does what you are looking for. I've never used this feature myself to be honest, but I'm sure someone has or it wouldn't be in the product. If you do go this route I would also suggest that you set the Liferay Password policy to be the same as your LDAP password policy to avoid LDAP rejecting exports due to configuration differences. You can do this by setting the following property to true in your portal-ext 

    #
    # Set this to true to use LDAP's password policy instead of the portal
    # password policy.
    #
    # If set to true, it is possible that portal generated passwords will not
    # match the LDAP policy. See the "passwords.regexptoolkit.*" properties for
    # details on configuring RegExpToolkit in generating these passwords.
    #
    ldap.password.policy.enabled=false
Alla Sapozhnikova, geändert vor 7 Jahren.

RE: Single sign on concept in Liferay

Junior Member Beiträge: 81 Beitrittsdatum: 02.03.12 Neueste Beiträge
Thank you for your help.