Setting up Liferay Portal 6.1 EE as a SP

 

If you have followed the IdP setup you will find the setup steps very similar.
First we need to setup a keystore, we gonna use the java keytool to create a keystore we can easily use from command line.
It is cruzial to create the key with the name of the SP-entity we want to use in the portal-ext.properties. In this case we will use liferaysamlspdemo
To have the keystore in a directory we can adress from liferay properties we can for ease of use execute the command in the liferay data directory
 
 
keytool -genkey -keyalg RSA -alias liferaysamlspdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
 
The command line output looks somewhat like
 
MacBook-Pro:data xxx$ keytool -genkey -keyalg RSA -alias liferaysamlspdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
 
What is your first and last name?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your organizational unit?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your organization?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your City or Locality?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your State or Province?
  [Unknown]:  Liferay SAML SP Demo
What is the two-letter country code for this unit?
  [Unknown]:  XX
Is CN=Liferay SAML SP Demo, OU=Liferay SAML SP Demo, O=Liferay SAML SP Demo, L=Liferay SAML SP Demo, ST=Liferay SAML SP Demo, C=XX correct?
  [no]:  yes
 
Enter key password for <liferaysamlspdemo>
(RETURN if same as keystore password):  
Re-enter new password: 
 
 
We need to bootstrap the SAML plugin in the portal-ext.properties
 
##
## SAML
##
 
# Enable SAML Plugin
saml.enabled=true
 
# Set the role to sp on the Service Provider side
saml.role=sp
 
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=liferaysamlspdemo
 
# The metadata location for Identity Provider
saml.metadata.paths=http://localhost:8080/c/portal/saml/metadata
 
We also need a refererence to the keystore we setup earlier, therefore we need to add the following to portal-ext.properties
 
#
# Keystore
#
 
# keystore type
saml.keystore.type=jks
 
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystore.jks
 
# pwd for accessing the keystore
saml.keystore.password=liferay
 
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[liferaysamlspdemo]=liferay
 
Finally we need to configure the Service Provider itsself there we add the following to portal-ext.properties
 
#
# Service Provider
#
 
# Service Provider SAML entity id
saml.sp.default.idp.entity.id=liferaysamlidpdemo
 
# Set the SAML authentication mandatory
saml.sp.sign.authn.request=true
 
# disable signatures for the demo
saml.sp.assertion.signature.required=false
 
# timeout setting for IdP clock deviation in ms
saml.sp.clock.skew=3000
 
# Session keep alive url
saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive
 
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=screenName=screenName\nemailAddress=emailAddress\nfirstName=firstName\nlastName=lastName
 
 
After applying these settings we can deploy the SAML-portlet plugin. I deployed first to the IDP and then to the SP.
 
http://localhost:8080/c/portal/saml/sso?entityId=liferaysamlspdemo
 
This url will initiate the SAML IdP based login process check out if it works.
 
njoy
 
p.s. This is a demo showing of the SAML 2 connection between 2 liferay instances on separate tomcats. Where one tomcat is the IdP on port 8080 and the SP is on a different liferay portal tomcat port 7080. 
 
Blogs
[...] Liferay 6.1 EE comes with SAML 2.0 Identity Provider and Service Provider support via SAML plugin. If you are not familiar with SAML check out my Introduction to SAML presentation slides. In this... [...] Read More
We got the 6.1 EE SAML plugin working all right, but the default behavior seems to ask the user to set password and security question before provisioning it. Is there a way to prevent this? Also we would like to disable local login and force the app to redirect to the IdP login page when authentication is required, what would be the best way to do it?
Try to set on the SP

users.reminder.queries.enabled=false

in portal ext properties and modify the default password policy so that it requires no password change.
You can disable the sign in portlet in plugins configuration and then also add your signurl in portal ext properties like this

auth.login.url=
HI - in Service Provider mode, is it capable of getting a user's groups from attributes? I am an EE user, and am potentially interested in using this plugin.

Thanks,

Al
We have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login.

The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?

If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?

Thanks
Is it important to use the same keystore generated here for the ssl configuration of Tomcat or can this be different ?
I got Liferay 6.2 EE to work as SAML SP, but after login I was inspecting cookies that get created. I noticed that COMPANY_ID and ID cookies are not created when I login using SAML. But when I login using Liferay's internal login, these cookies gets created. Is there a way for me to get these cookies when I login using SAML ?

Thanks,
Advait
Perhaps it is obvious (it wasn't to me) but it should be noted that you need to add the IdP certificate to the Liferay SP keystore. I erroneously thought the IdP metadata import/link (the value of parameter: saml.metadata.paths) was sufficient to establish trust but this was not the case.

Without importing the IdP certificate, the SAMLResponse signature will be verified but it will be rejected due to lack of 'trust'.

I'm not sure if this is required but the alias you give the certificate during import should match the entityID assertion by the IdP.
For example:
keytool.exe -alias <IdP_entityID> -importcert -file <IdPcert.cer> -keystore keystore.jks
where keystore.jks is the same SP keystore created at the beginning of this post.

If the name/alias didn't match, I'm not sure it'd successfully lookup the certificate.
I am using Liferay 6.2 EE. After configuring the same as this blog, my portal is configured with the SP value (http://localhost:8080/group/control_panel/manage/-/server/properties/portal-properties). However, when I browse to the SP Metadata URL, I will be redirected back to portal URL, cannot download SP Metadata, why?
Thanks for the great Post, Is it possible to configure SP to connect to Multiple IdP ?.

Thanks,
Sanjay
[...] In this case Liferay was going to be the Service Provider (SP) and Okta was going to be the Identity Provider (IdP). I installed, configured and tested the plugin and everything worked great, but... [...] Read More
Hi Armin, nice blog seems informative and I want to try it out . But I need to find the Liferay SAML 2.0 portlet compatible with Liferay Portal 6.1 EE GA2. Can you tell mewhich version of Liferay SAML 2.0 would work and where I can download it ??
[...] Liferay Portal 6.2 User Guide - Integrating Existing Users into Liferay - SAML Setting up Liferay Portal 6.1 EE as an IdP Setting up Liferay Portal 6.1 EE as a SP [...] Read More
[...] LRDOCS-1531 - Adding SAML configuration as Service Provider in Liferay Portals in Cluster Context Liferay Portal 6.2 User Guide - Setting Up Liferay as a SAML Service Provider in a Clustered... [...] Read More