Ask - Test

Hello everyone

I hope everybody is doing well. I'm currently working on a project that includes building a custom authentication method in Liferay 7.4; and I would like to get some guidance on best practices for ensuring a secure; efficient; and maintainable solution.

we are connecting liferay 7.4 with a legacy system that requires a specific verification approach. The purpose is to allow users to log in to liferay using their existing legacy system passwords.

• We must validate the credentials of users using the legacy system API rather than the regular liferay user databases.
•  we would like to create SSO so that once users have been approved through the legacy system; they may use Liferay and other connected services without having to log in again.
• We want to sync specific user data, such as roles and permissions; from the legacy system to liferay during the authentication process.
• If the old system is inaccessible; we need an alternate strategy that relies on liferay default authentication.

We have considered the following ways but are unsure which would be the most effective or whether there a better choice.
We provided for utilising authentication hooks to override the authenticate method; but we are concerned about potential breaking changes in future liferay upgrades.
Another method is to create a special login portlet that handles the full authentication process; although we are not sure if this complicates the solution.
We have considered implementing liferay's OAuth2 module to assist SSO integration; however this would require extensive customization to operate with our legacy system.
Creating a rest API call to the legacy system during the login process appears simple; we are concerned about the performance effects; particularly under high traffic.

• What are the advantages and disadvantages of using authenticating hooks over custom login portlets in liferay 7.4?
• Has anyone successfully completed a similar integration with a legacy system? If so; what challenges did you experience and how did you deal with them?
• Are there any security concerns we should be aware of when creating a custom authentication method?
• What is the ideal approach to handling user data synchronisation throughout the authentication process?
• How can we design a dependable failover method that uses liferay authentication if the legacy system fails?

I would like to hear about any relevant experiences; suggestions, or resources that can help us make an informed decision. We want to maintain the implementation as future-proof as possible; so any suggestions for avoiding typical issues would be very welcomed.

Also I explored some topics related to this https://liferay.dev/ask/questions/liferay-learn-feedback/installing-and-updating-blade-ccsp-document-doesn-t-actually-install-blade but I did not get the sufficient solution of my query so I would really want to get some help from a more experienced person

Thank you in advance for your suggestions