« Back

Setting up Liferay Portal 6.1 EE as an IdP

Company Blogs May 24, 2012 By Armin Cyrus Dahncke Staff

As a result of my recent Demo at our hungarian symposium in Budapest I want to show today how I used the SAML Portlet to setup a liferay portal instance as an Identity Provider talking SAML2.

My next blog will show the Service Provider part with the same portlet but different configuration and a second liferay bundle working on different ports locally.

In case you are interested in seeing how it works in conjunction with salesforce I can recommend the blog from Mika

Setup of a Liferay Identity Provider

For my installation I used a bundle and the SAML-Portlet from the customer portal.
First we need to setup a keystore, we gonna use the java keytool to create a keystore we can easily use from command line.
It is cruzial to create the key with the name of the IDP-entity we want to use in the portal-ext.properties. In this case we will use liferaysamlidpdemo
To have the keystore in a directory we can adress from liferay properties we can for ease of use execute the command in the liferay data directory
keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048

The output looks like the following

MacBook-Pro:data xxx$ keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
What is your first and last name?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organizational unit?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organization?
  [Unknown]:  Liferay
What is the name of your City or Locality?
  [Unknown]:  wherever 
What is the name of your State or Province?
  [Unknown]:  wherever
What is the two-letter country code for this unit?
  [Unknown]:  XX
Is CN=Liferay SAML IdP Demo, OU=Liferay SAML IdP Demo, O=Liferay, L=wherever, ST=wherever, C=XX correct?
  [no]:  yes
Enter key password for <liferaysamlidpdemo>
(RETURN if same as keystore password):  
Re-enter new password: 
Next we need to bootstrap the SAML plugin in the portal-ext.properties
# Enable SAML Plugin
# Set the role to idp on the Identity Provider and to sp in the Service Provider
# Set the SAML entity id, it matches the alias we used to setup the keystore
# We do not need SSL for this example, for production you would use a regular ssl certificate
We also need a refererence to the keystore we setup earlier, therefore we need to add the following to portal-ext.properties
# Keystore
# keystore type
# location of the keystore
# pwd for accessing the keystore
# pwd for accessing the certificate of the entity in the keystore

Next we need to enable the IDP part of the SAML-Plugin(still in portal-ext.properties)


# Identity Provider
# Enable the Identity Provider
# set the SAML authentication as required
# set the Identity Provider entitiy id
We also need to register the Service Providers (Part 2) to the IdP, which can be done like that in portal-ext.properties
# The metadata locations for the known Service providers. In case of liferay
# we can point to the metadataservice of the plugin, in this case we already setup the SP,
# which is just another instance of liferay with the same plugin running in sp mode.
Threaded Replies Author Date
Note: saml.idp.metadata.attribute.names must be... István Kállai April 28, 2014 1:46 AM
Hi Armin, nice blog seems informative and I... Midhun Kumar August 25, 2016 8:24 PM

Note: saml.idp.metadata.attribute.names must be given with "\n" as the separator, otherwise the attribute names will not be correctly split. See MetadataManagerImpl.getAttributeNames(), where StringUtil.splitLines() is used. (codebase: saml-portlet-
Posted on 4/28/14 1:46 AM.
Hi Armin, nice blog seems informative and I want to try it out . But I need to find the Liferay SAML 2.0 portlet compatible with Liferay Portal 6.1 EE GA2. Can you tell mewhich version of Liferay SAML 2.0 would work and where I can download it ??
Posted on 8/25/16 8:24 PM.