How to configure Liferay SAML 2.0 Provider plugin in a Liferay Portal cluster environment behind a load balancer

Overview

This brief article outlines a high level solution for using the Liferay SAML 2.0 EE Provider plugin as the SAML SP in a clustered node environment.

The solution extends from using Liferay SAML 2.0 EE Provider plugin as the SAML SP in a single node environment and assumes the reader is already familiar with the SAML protocol and configuring the Liferay SAML 2.0 EE Provider plugin. Refer to references (below).

NOTE: This article was submitted to Liferay as per change request ticket LRDOCS-1531 and was  merged with the Liferay Portal 6.2 User Guide as topic Setting Up Liferay as a SAML Service Provider in a Clustered Environment (effective Wed 07 Oct 2015).

Scenario

You wish to use SAML as the Single Sign-On (SSO) solution for your environment.

You have a Liferay Portal cluster with multiple nodes behind a load balancer (e.g. F5 BigIP). Liferay Portal node 1 (LP node 1) and Liferay Portal node 2 (LP node 2).

You have a third-party product participating as the SAML Identity Provider (IdP), such as F5 BigIP.
 
The Liferay Portal nodes will participate as SAML Service Providers (SPs).
 

High Level Solution

Step 1/ Configure SAML IdP and Liferay Portal node 1 as SAML SP as per other instructions

NOTE: See references (below) for Liferay Portal SAML IdP and/or SP configuration.

NOTE: Ensure LP node 1 is using the fully qualified name of the load balancer (FQN.LB.HOST) as the web.server.host in portal-ext.properties.

{code}
    #
    # Set the hostname that will be used when the portlet generates URLs.
    # Leaving this blank will mean the host is derived from the servlet
    # container.
    #
    web.server.host=FQN.LB.HOST
{code}


Step 2/ Repeat SAML SP config for Liferay Portal node 2 as per node 1

See step 1 (above).


Step 3/ Copy keystore file from LP node 1 to LP node 2 (for filesystem keystore manager only)

This step is only required if you have not changed the keystore manager property (saml.keystore.manager) and hence are using the default filesystem-based keystore manager.

The keystore file contains the valid or self-signed certificate managed by the SAML 2.0 EE Provider plugin.

The keystore file is stored according to the keystore manager defined by portal property "saml.keystore.manager.impl".

saml.keystore.manager.impl=com.liferay.saml.credential.FileSystemKeyStoreManagerImpl

 

The default location for the keystore file is at location

LIFERAY_HOME/data/keystore.jks

To ensure the Liferay Portal nodes are using the same certificate, copy file “LIFERAY_HOME/data/keystore.jks” from LP node 1 to LP node 2

The keystore file storage location can be changed using a different keystore manager.

Refer to the SAML section of article Integrating Existing Users into Liferay for more details.

If you configure the keystore manager to use a different storage mechanism (eg. Document Library), you do not need to copy the keystore file between portal nodes.


Step 4/ Review

At this stage, the LP nodes have the same SAML SP configuration and either can respond to web requests and handle the SAML SP <> IdP protocol.


Step 5/ Test

Test SAML as SSO solution by signing into LP via load balancer, navigating sites and pages then signing out.

 

References