How to configure Liferay SAML 2.0 Provider plugin in a Liferay Portal cluster environment behind a load balancer


This brief article outlines a high level solution for using the Liferay SAML 2.0 EE Provider plugin as the SAML SP in a clustered node environment.

The solution extends from using Liferay SAML 2.0 EE Provider plugin as the SAML SP in a single node environment and assumes the reader is already familiar with the SAML protocol and configuring the Liferay SAML 2.0 EE Provider plugin. Refer to references (below).

NOTE: This article was submitted to Liferay as per change request ticket LRDOCS-1531 and was  merged with the Liferay Portal 6.2 User Guide as topic Setting Up Liferay as a SAML Service Provider in a Clustered Environment (effective Wed 07 Oct 2015).


You wish to use SAML as the Single Sign-On (SSO) solution for your environment.

You have a Liferay Portal cluster with multiple nodes behind a load balancer (e.g. F5 BigIP). Liferay Portal node 1 (LP node 1) and Liferay Portal node 2 (LP node 2).

You have a third-party product participating as the SAML Identity Provider (IdP), such as F5 BigIP.
The Liferay Portal nodes will participate as SAML Service Providers (SPs).

High Level Solution

Step 1/ Configure SAML IdP and Liferay Portal node 1 as SAML SP as per other instructions

NOTE: See references (below) for Liferay Portal SAML IdP and/or SP configuration.

NOTE: Ensure LP node 1 is using the fully qualified name of the load balancer (FQN.LB.HOST) as the in

    # Set the hostname that will be used when the portlet generates URLs.
    # Leaving this blank will mean the host is derived from the servlet
    # container.

Step 2/ Repeat SAML SP config for Liferay Portal node 2 as per node 1

See step 1 (above).

Step 3/ Copy keystore file from LP node 1 to LP node 2 (for filesystem keystore manager only)

This step is only required if you have not changed the keystore manager property (saml.keystore.manager) and hence are using the default filesystem-based keystore manager.

The keystore file contains the valid or self-signed certificate managed by the SAML 2.0 EE Provider plugin.

The keystore file is stored according to the keystore manager defined by portal property "saml.keystore.manager.impl".



The default location for the keystore file is at location


To ensure the Liferay Portal nodes are using the same certificate, copy file “LIFERAY_HOME/data/keystore.jks” from LP node 1 to LP node 2

The keystore file storage location can be changed using a different keystore manager.

Refer to the SAML section of article Integrating Existing Users into Liferay for more details.

If you configure the keystore manager to use a different storage mechanism (eg. Document Library), you do not need to copy the keystore file between portal nodes.

Step 4/ Review

At this stage, the LP nodes have the same SAML SP configuration and either can respond to web requests and handle the SAML SP <> IdP protocol.

Step 5/ Test

Test SAML as SSO solution by signing into LP via load balancer, navigating sites and pages then signing out.