Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
Liferay 6.2 and KeyCloak SSO
Dear all
I am new in Liferay . Currently my project is in Liferay 6.2 ( Tomcat). There are a new requirement to pass login action by our customer user to KeyCloak Single Sign On. The KeyCloak SSO is implemented by another vendor ( Refer to below)My question is how to redirect our liferay portlet to SSO so user can be authenticated and display error page ?
If new user, user will register in KeyCloak SSO register page. So after registered successfully, how to redirect back to our page ?
I am new in Liferay . Currently my project is in Liferay 6.2 ( Tomcat). There are a new requirement to pass login action by our customer user to KeyCloak Single Sign On. The KeyCloak SSO is implemented by another vendor ( Refer to below)My question is how to redirect our liferay portlet to SSO so user can be authenticated and display error page ?
If new user, user will register in KeyCloak SSO register page. So after registered successfully, how to redirect back to our page ?
- Browser visits application. The application notices the user is not logged in, so it redirects the browser to vendor SSO to be authenticated. The application passes along a callback URL (a redirect URL) as a query parameter in this browser redirect that vendor SSO system will use when it finishes authentication.
- SAL SSO authenticates the user and creates a one-time, very short lived, temporary code. vendor SSO redirects back to the application using the callback URL provided earlier and additionally adds the temporary code as a query parameter in the callback URL.
- The application extracts the temporary code and makes a background out of band REST invocation to vendor SSO to exchange the code for an identity, access and refresh token. Once this temporary code has been used once to obtain the tokens, it can never be used again. This prevents potential reply attacks.
You need to implement a Filter. I have linked to the opensso Filter in this Thread: https://liferay.dev/forums/-/message_boards/message/114849309
You basically need to so the Same Thing.
You basically need to so the Same Thing.
Hi Christoph
Thanks for your information.I found this link : https://liferay.dev/blogs/-/blogs/liferay-keycloak-integration , however is in Liferay 7.0.I read and found below:1. OpenID Connect Plugin to Liferay2. Fill in all Key Cloak informationBut I can how to do implementation of SSO in Liferay 6.2 , some suggest Servlet Filter or Hook or Controller ?Any Liferay api so I can read KeyCloak configuration value in source code ?Thanks.
Thanks for your information.I found this link : https://liferay.dev/blogs/-/blogs/liferay-keycloak-integration , however is in Liferay 7.0.I read and found below:1. OpenID Connect Plugin to Liferay2. Fill in all Key Cloak informationBut I can how to do implementation of SSO in Liferay 6.2 , some suggest Servlet Filter or Hook or Controller ?Any Liferay api so I can read KeyCloak configuration value in source code ?Thanks.
I have never tried to implement a Keycloak integration, but I think, you need to add an adapter to tomcat.
https://www.keycloak.org/docs/4.8/securing_apps/index.html#_tomcat_adapter
After doing that, your application (in this case Liferay) is protected by keycloak. Then you need to implement an autologin filter similar to the OpenSSO implementation. There you need to find out the user. I am not sure, if the following link is helpful, but the tomcat adapter should add the token/user to the request and you should be able to read it.
https://stackoverflow.com/questions/31864062/fetch-logged-in-username-in-a-webapp-secured-with-keycloak
Take a look at the opensso code. Check the user, if it matches the session, everything is fine. Otherwise -> Authenticate (and maybe destroy the previous session).
https://www.keycloak.org/docs/4.8/securing_apps/index.html#_tomcat_adapter
After doing that, your application (in this case Liferay) is protected by keycloak. Then you need to implement an autologin filter similar to the OpenSSO implementation. There you need to find out the user. I am not sure, if the following link is helpful, but the tomcat adapter should add the token/user to the request and you should be able to read it.
https://stackoverflow.com/questions/31864062/fetch-logged-in-username-in-a-webapp-secured-with-keycloak
Take a look at the opensso code. Check the user, if it matches the session, everything is fine. Otherwise -> Authenticate (and maybe destroy the previous session).
HiI have install Keycloak 6.0.1 Tomcat Adapter to our Liferay 6.2 CE.When I access protected resource as specify in web.xml , it display keycloak user login which it is correct.The issue is after I login, how I going to retrieve the keycloak username , token and etc ? Please advise .Thanks. web.xml<security-constraint> <web-resource-collection> <web-resource-name>Private</web-resource-name> <url-pattern>/c/portal/protected</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint></security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>this is ignored currently</realm-name></login-config><security-role> <role-name>user</role-name></security-role> keycloak.json in war file{ "realm": "SpringBootKeycloak", "auth-server-url": "http://localhost:8180/auth", "ssl-required": "external", "resource": "login-app", "credentials": { "secret": "a0aa7ff2-ed7d-4096-b212-9782d8eaf86f" }, "confidential-port": 0}
Copyright © 2025 Liferay, Inc
• Privacy Policy
Powered by Liferay™