Hello all,

We have a Liferay portal instance which currently serves two domain names: lf.dom1.com & lf.dom2.com.
(These are both handled by the same Liferay company configuration and a single portal instance. They are the same code base.)

Currently, for authentication, both domains are using the Authenticator interface, which uses the Liferay pipeline authentication.
int com.liferay.portal.security.auth.Authenticator.authenticateByEmailAddress(long companyId, String emailAddress, String password, Map<String, String[]> headerMap, Map<String, String[]> parameterMap)
where we return 1 for SUCCESS and -1 for FAILURE

We are planning to roll out a SSO solution for only one domain, lf.dom1.com, while leaving the other domain, lf.dom2.com, to continue with the customer Authenticator interface. To handle our SSO, we will be using the AutoLogin interface.
String[] com.liferay.portal.security.auth.AutoLogin.login(HttpServletRequest request, HttpServletResponse response)
where we return a credentials array [3] of { userid, password, encPassword } for success or null for failure

This AutoLogin interface does not seem to be apart of the same Liferay pipeline authentication.

I can login against lf.dom2.com without issues because the custom AutoLogin handler I'm using will simply return if the SSO approach is not active. (That is, SSO exchange happens in a filter so the authenticated user is put on the session by the filter. The custom AutoLogin handler looks for a user on the session and returns null credentials if none exist.)

However, when doing SSO, all works fine except the normal Liferay pipeline authentication seems to be triggered after the custom AutoLogin handler returns with valid credentials. The Liferay pipeline does not see that a user has already been authenticated. So, the SSO user is never let into the site.

We are using Liferay 6.1.2 CE.

I appreciate any tips or ideas on how to allow both methods of authentication on the same portal instance.

Thanks!