1. Home
  2. Portal
  3. liferay SSO with azure AD

liferay SSO with azure AD

A W, modified 5 Years ago.
liferay SSO with azure AD
New Member Posts: 4 Join Date: 4/19/20 Recent Posts
Is there a way to enable SSO with azure AD without a third party commercial identity provider?   Google search gives me some rather dated information, does not seem to be a way to do that. 
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: liferay SSO with azure AD
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
You could use Kerberos, OpenID Connect or SAML2. You can find a SAML2 module for Liferay DXP in the marketplace. I never had to do it myself, but in general, all three ways should work.
A W, modified 5 Years ago.
RE: liferay SSO with azure AD
New Member Posts: 4 Join Date: 4/19/20 Recent Posts
"OpenID is deprecated in Liferay DXP 7.2 and has been removed."   Is openID not supported anymore?  As to SAML2, I see only one adapter for CE version, the documentation is quite bad. 
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: liferay SSO with azure AD
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
As I said, Liferay only supports SAML2 for DXP.  It helps to tell people the exact Liferay version you use to get better tips
OpenID != OpenID Connect
Basically OpenID is a dying standard, so the deprecation of OpenID support is quite reasonable.
https://help.liferay.com/hc/en-us/articles/360024805271-Authenticating-with-OpenID-Connect
A W, modified 5 Years ago.
RE: liferay SSO with azure AD
New Member Posts: 4 Join Date: 4/19/20 Recent Posts
we plan to use the liferay free/community edition. The only CE SAML2 plugin one is not free at all. You basically have to subscribe to their identity services. If I'm going to pay for azure SSO for liferay CE, fine.  I want to know if there is a consulting firm I could hire or a product which I could purchase.   
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: liferay SSO with azure AD
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
Since you need only an SP, maybe this library can help:
https://github.com/onelogin/java-saml
You could implement your own SAML2 SP Liferay Authenticator based on that.
Another idea: you could use the Shibboleth Apache plugin and do the SSO in Apache. I have used Shibboleth before, it isn't too hard to setup. It is just a bit "ugly" since you need to write the xml files by hand. And adding a Liferay AutoLogin module based on headers is pretty trivial too.
A W, modified 5 Years ago.
RE: liferay SSO with azure AD
New Member Posts: 4 Join Date: 4/19/20 Recent Posts
This is really useful.  Are you saying liferay could leverage tomcat authentication? I'm new to liferay. I'm planning to test out a hello <username> web app on tomcat with azure sso using MSAL4J (https://docs.microsoft.com/en-us/samples/azure-samples/ms-identity-java-webapp/ms-identity-java-webapp/)  If I could get that to work , does that mean it will work for liferay as well? I just need to configure liferay to use the same authenticator? 
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: liferay SSO with azure AD
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
I am not sure if this will work easily. The problem is that this assumes that the application is deployed as a war file. In Liferay, an authentication module needs to be "inside" of Liferay as an OSGI module. Also, Spring and Liferay can be quite problematic too.
I have avoided Spring in the Liferay context for years now and so I fear, I can't even tell, what's necessary to do to make this work.