1. Home
  2. Development
  3. OpenId Connect and SAML on Liferay

OpenId Connect and SAML on Liferay

thumbnail
Fabian Bouché, modified 6 Years ago.
OpenId Connect and SAML on Liferay
New Member Posts: 12 Join Date: 4/8/16 Recent Posts
Hi!I've been able to succesfully test Liferay DXP 7.2 against Keycloak 6.0.1 using both the SAML 2 protocol (using the official SAML plugin on the marketplace) and the OpenId Connect protocol that has built in support in Liferay.However, I think there is an issue in the way the SAML plugin behaves. As soon as it is enabled, it takes precedence over the sign in portlet each time a user tries to access a protected resource while being disconnected (a /group bookmark or a session timeout).This is an issue as soon as I have different populations of users who access the same portal using either the SAML 2 protocol or OpenId Connect.I think Liferay DXP needs the authentication to be managed in a comprehensive way, whatever the SSO protocol. It's a pitty the SAML module has been rewritten while retaining this feature apart from the other SSO features.I'll check and let you know if it's feasible to write some request interceptor to prevent the SAML plugin to take precedence and redirect the user back to a sign in portlet if I were able to recognize that this user logged in using some other provider.Kind regards,Fabian
thumbnail
Fabian Bouché, modified 6 Years ago.
RE: OpenId Connect and SAML on Liferay
New Member Posts: 12 Join Date: 4/8/16 Recent Posts
Hi!Replying to myself ;-)Had a look at the SAML plugin source code. 
The SAML Plugin takes precedence over /c/portal/login (and logout) through a Servlet Filter in class com.liferay.saml.runtime.internal.servlet.filter.SamlSpSsoFilter
I wrote a similar Servlet Filter with property url-pattern=/c/portal/loginIn the processFilter method, I was able to response.sendRedirect to the sign in portlet URL and break the filter chain in order to prevent the SAML plugin to take precedence.[Next steps]Write some post login event processing so that a prior succesful OpenId Connect login writes some cookie with the ID provider reference.Read that cookie to determine the behaviour of my Filter:
  • If cookie present: compose sign in portlet URL and provide ID provider
  • Otherwise, super.processFilter and SAML plugin will take over
Apply same logic over /c/portal/logout to prevent SAML plugin to perform his logout process on someone who logged in through OIDC.
thumbnail
Andrew Jardine, modified 6 Years ago.
RE: OpenId Connect and SAML on Liferay
Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Hi Fabian,
What about maybe writing a servlet filter with a higher service ranking than the out of the box one? I can see in the portal source under modules/apps/portal-security-sso/portal-security-sso-opensso-impl probably everything you need. It's an internal package item unfortunately so you wont be able to extend it (without using David's trickery from one of his posts) but you could start by just making a copy of it in your own module and using a higher service ranking
@Component(    configurationPid = "com.liferay.portal.security.sso.opensso.configuration.OpenSSOConfiguration",    immediate = true,    property = {       "before-filter=Auto Login Filter", "dispatcher=FORWARD",       "dispatcher=REQUEST", "servlet-context-name=",       "servlet-filter-name=SSO Open SSO Filter",       "url-pattern=/c/portal/login", "url-pattern=/c/portal/logout"    },    service = Filter.class )