Liferay Digital Experience Platform (DXP) provides feature to integrate with Corporate Single Sign on Server (SSO). SAML can be used to establish the same. This article laid down the general steps required for the SSO configuration, where in Liferay DXP which will act as Service Provider and will establish SSO with Identity Server. Below steps are described with the self-signed certificate but based on the requirement signed certificate from certified authority can also be used.
1. Single Sign On (SSO) Server – Identity Server
2. Liferay DXP Set up in place
a. Installation of Java and JDK
b. Installation and configuration of Database (e.g. MySQL/ MS SQL/Postgres etc.)
c. Set Environment Variable
1) Liferay DXP SAML Plugin: We will need Liferay DXP SAML Plugin which is available in the marketplace. Download SAML Plugin (lkpg format) from the marketplace and deploy SAML Plugin in Liferay.
URL to Download: https://web.liferay.com/marketplace/-/mp/application/15188711
2) Generate Keystore : Create keystore with keytool command that is available with JDK. We can either used self-signed certificate.
Run the following command: keytool -genkeypair -keyalg RSA -alias liferayselfsigned -keystore keystore.jks -storepass pass1234 -validity 360 -keysize 2048
This will generate keystore.jks file. Make sure you create the file under the directory which is accessible by Liferay.
3) Export Liferay Server Certificate
Once the keystore.jks file is generated, we need to export the Liferay certificate. This certificate is generated so it can be imported in SSO Server and with this SSO Server and Liferay DXP server will have a handshake.
Run the following command to export the certificate: keytool –exportcert –alias liferayselfsigned –file exportasialiferaycertificate.cer –keystore keystore.jks
4) Import Identity Provider/Single Sign On Server Certificate
Identity server will be required to be imported in Liferay.
Run the following command to import the certificate: keytool -importcert -alias ssoselfsigned -file sso-certificate.cer -keystore keystore.jks
After running the above command the existing keystore.jks will be updated with SSO Server Certificate.
5) Metadata Configuration
Identity Server will have to generate a metadata XML file. This metadata file needs to be store on the VM where we have Liferay DXP Installed. Place the XML file at a location which is accessible by Liferay DXP Server. (Metadata file name for e.g.: metadata.xml)
6) SAML Configuration in Liferay
Now we need to configure the SAML Plugin. We can configure the same using the configuration in portal-ext.properties (which is placed at /liferay-dxp/tomcat-8.0.32/webapps/ROOT/WEB-INF/classes)
Following are the configurations required in portal-ext.properties:
# Keystore #
# # Service Provider #
7) Restart: Restart the Liferay once to make all the changes are reflected and perform the SSO testing.
Checklist/ Considerations for SSO Integration:
- User Provisioning: User provisioning is required in Liferay DXP before performing any testing for SSO Integration
- Accessibility: Make sure Liferay DXP and SSO Server should be able to access each other.
- Information required for SSO Server/Identity Server:
a) Liferay Exported Certificate as demonstrated in Installation Steps
b) Liferay SAML Consumer Assertion URL : http://server:port/c/portal/saml/acs. This is required to be configured on the Identity Server end.
4. Information required for Liferay DXP Server: When configuration is required on Liferay 7 server then SAML metadata file will from the Identity Server. It should be made sure that entityID="entityId" given in the metadata file is what which will be configured in the Liferay portal-ext.properties file.