« Back

Setting up Liferay Portal 6.1 EE as an IdP

Company Blogs May 24, 2012 By Armin Cyrus Dahncke Staff

As a result of my recent Demo at our hungarian symposium in Budapest I want to show today how I used the SAML Portlet to setup a liferay portal instance as an Identity Provider talking SAML2.

My next blog will show the Service Provider part with the same portlet but different configuration and a second liferay bundle working on different ports locally.

In case you are interested in seeing how it works in conjunction with salesforce I can recommend the blog from Mika

Setup of a Liferay Identity Provider

For my installation I used a bundle and the SAML-Portlet from the customer portal.
 
First we need to setup a keystore, we gonna use the java keytool to create a keystore we can easily use from command line.
It is cruzial to create the key with the name of the IDP-entity we want to use in the portal-ext.properties. In this case we will use liferaysamlidpdemo
To have the keystore in a directory we can adress from liferay properties we can for ease of use execute the command in the liferay data directory
 
keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
 

The output looks like the following

 
MacBook-Pro:data xxx$ keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
 
What is your first and last name?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organizational unit?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organization?
  [Unknown]:  Liferay
What is the name of your City or Locality?
  [Unknown]:  wherever 
What is the name of your State or Province?
  [Unknown]:  wherever
What is the two-letter country code for this unit?
  [Unknown]:  XX
Is CN=Liferay SAML IdP Demo, OU=Liferay SAML IdP Demo, O=Liferay, L=wherever, ST=wherever, C=XX correct?
  [no]:  yes
 
Enter key password for <liferaysamlidpdemo>
(RETURN if same as keystore password):  
Re-enter new password: 
 
Next we need to bootstrap the SAML plugin in the portal-ext.properties
 
##
## SAML
##
 
# Enable SAML Plugin
saml.enabled=true
 
# Set the role to idp on the Identity Provider and to sp in the Service Provider
saml.role=idp
 
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=liferaysamlidpdemo
 
# We do not need SSL for this example, for production you would use a regular ssl certificate
saml.require.ssl=false
 
We also need a refererence to the keystore we setup earlier, therefore we need to add the following to portal-ext.properties
 
#
# Keystore
#
 
# keystore type
saml.keystore.type=jks
 
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystore.jks
 
# pwd for accessing the keystore
saml.keystore.password=liferay
 
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[liferaysamlidpdemo]=liferay
 

Next we need to enable the IDP part of the SAML-Plugin(still in portal-ext.properties)

 

#
# Identity Provider
#
 
# Enable the Identity Provider
saml.idp.enabled=true
 
# set the SAML authentication as required
saml.idp.authn.request.signature.required=true
 
# set the Identity Provider entitiy id
saml.idp.entity.id=liferaysamlidpdemo
 
We also need to register the Service Providers (Part 2) to the IdP, which can be done like that in portal-ext.properties
 
# The metadata locations for the known Service providers. In case of liferay
# we can point to the metadataservice of the plugin, in this case we already setup the SP,
# which is just another instance of liferay with the same plugin running in sp mode.
saml.metadata.paths=\
http://beta.test.com:9080/c/portal/saml/metadata
 
saml.idp.metadata.attributes.enabled[liferaysamlspdemo]=true
saml.idp.metadata.attribute.names[liferaysamlspdemo]=screenName,firstName,lastName,emailAddress,uuid
saml.idp.metadata.session.keepalive.url[liferaysamlspdemo]=http://beta.test.com:9080/c/portal/saml/sp/keepalive
Threaded Replies Author Date
Note: saml.idp.metadata.attribute.names must be... István Kállai April 28, 2014 1:46 AM

Note: saml.idp.metadata.attribute.names must be given with "\n" as the separator, otherwise the attribute names will not be correctly split. See MetadataManagerImpl.getAttributeNames(), where StringUtil.splitLines() is used. (codebase: saml-portlet-6.1.20.3-ee-ga3)
Posted on 4/28/14 1:46 AM.