Configure SSO in Liferay with OKTA using SAML 2.0 protocol

Ankit Srivastava
Ankit Srivastava
A Minute Read

In this blog, I am listing the steps to configure SSO in Liferay with OKTA using SAML 2.0 protocol.

OKTA is an enterprise grade identity management service, built from the ground up in the cloud. Okta identity management service provides directory services, SSO, strong authentication, provisioning, workflow and built in reporting.

If you are not familiar with SAML, check out awesome blog by Mika Koivisto.

I used Liferay 6.1 EE GA2 bundled with Tomcat in this exercise.

I followed these steps: 

  1. Create account at http://www.okta.com/ for enterprise trial.
  2. You will get a confirmation with URL at your email address. You will able to see this screen once you access URL mentioned in mail.

3. Go to Applications tab and add a new application using SAML 2.0

 

4. Provide app name: 

 

5. Define SSO Url, SP entity ID, name ID format and default username at next screen. 

 

6. Make app as internal and finish, once done navigate to SSO tab. 

7. Click view setup instructions: 

Save content of  IDP metdata into octametadata.xml file.

Now we are done with OKTA (IDP) configuration setup.

Configuration at Liferay (SP) Side:

  1. Extract Liferay bundle into some location.
  2. Start the server and deploy SAML plugin downloaded through marketplace.
  3. Paste octametdata.xml file into data folder of Liferay.

 4.  Create the keystore using java key tool along with the public and private keys.

              keytool -genkeypair -alias samlspdemo -keyalg RSA -keysize 2048 -keypass password -keystore data/keystoresp.jks

 5. Once done create portal-ext.properties in Liferay Home and add these lines into this file:  

saml.role=sp

saml.entity.id=samlspdemo 

saml.metadata.paths={location of saved octametdata.xml}

# # Keystore #

saml.keystore.type=jks

saml.keystore.path=${liferay.home}/data/keystoresp.jks

saml.keystore.password=password

saml.keystore.credential.password[samlspdemo]=password

 

# # Service Provider #

saml.sp.default.idp.entity.id=http://www.okta.com/kpqs6np8EEBKPQZCLHXQ

saml.sp.sign.authn.request=true

saml.sp.assertion.signature.required=false

saml.sp.clock.skew=3000

saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive

 6. Restart Liferay to check the functionality.

After this once you click login in Liferay portal, it will redirect you okta sign in page, enter credentials there and if you entered correct credentials it will redirect you to Liferay where you will be automatically login.

Note :

  1. Make sure you create same user in Liferay and OKTA for basic setup.
  2. Assign user to the app you created in OKTA.

 

 

Page Comments
Advait Trivedi
11 Years Ago
Hi Ankit,
Thanks for the post.
I have a question though, we dont require to add property "saml.metadata.paths" in SP configuration? Also, if not, then I would appreciate if you can shed some light on how SP gets hold of metadata.

Thanks,
Advait
Please sign in to reply.
thumbnail
Ankit Srivastava Advait Trivedi
11 Years Ago
Hi Advait,

Thanks for figuring it out. I missed that property and modified accordingly now.

Thanks:
Ankit
Please sign in to reply.
Advait Trivedi Ankit Srivastava
11 Years Ago
Hey Ankit,
What is will be the keep alive URL config property for SP?
Also, is there any documentation where we can read how keep alive url is used by SP?

Thanks,
Advait
Please sign in to reply.
thumbnail
Ankit Srivastava Advait Trivedi
11 Years Ago
Hi Advait,

Please refer SessionKeepAliveAction.java in SAML plugin. Here you can find how its being used in Idp and SP both.

Thanks:
Ankit
Please sign in to reply.
thumbnail
Rahul Jaiswal Ankit Srivastava
11 Years Ago
Hi Ankit,

Thanks for sharing this great stuff.

I configured my local liferayt instance as SP. It is now working great with Okta.

But I am running into one issue. After log-in via okta, sign-out is not working.

When I click on sign-out button, it is redirecting through
/c/portal/logout ---> /web/guest/home

Session remains alive and never getting expire.
Please sign in to reply.
Advait Trivedi Rahul Jaiswal
11 Years Ago
@Ankit,
I think OKTA doesn't support SingleLogout (SLO), if you check your SAML assertion in SAML Trace Firefox plugin you will see that SLO info is missing. So I guess, you will have to manually clean up SAML session without relying on assertions from OKTA (which is not good I think).
Please sign in to reply.
thumbnail
Praveen Singh Bais Rahul Jaiswal
10 Years Ago
Hey Rahul,

Did you get a solution to this problem ? We are also facing the same issue. Please help if you have already solved it.

Thanks
Please sign in to reply.
Montoo Garg
10 Years Ago
Hi Ankit,

Is it possible to test Liferay Portal SSO with-okta without exposing Liferay Portal URL over the internet? Liferay Portal is installed behind company firewall.

Thanks,
Montoo Garg
Please sign in to reply.
thumbnail
Vishnudas Lokhande
10 Years Ago
Hi Ankit ,
1 . Make sure you create same user in Liferay and OKTA for basic setup.
I have question here , what if the user is not available in portal and it is there in the Okta.

Does SAML imports and creates the user in Portal?

In this case how can we proceed?
Please sign in to reply.
thumbnail
Ankit Srivastava Vishnudas Lokhande
10 Years Ago
Hi Vishnudas,

If user is not available in Liferay portal and available in Idp, It will create that user in portal but make sure attribute mapping is correct.
Please sign in to reply.

Related Assets...

No Results Found

More Blog Entries...