Blogs

Overview

According to Wikipedia, the Security Assertion Markup Language (SAML), pronounced "sam-el" is,

"... an XML-based, open-standard data format for exchanging authentication and authorization data between parties,
in particular, between an identity provider and a service provider."

The SAML protocol can be used to implement a SSO authentication service.

This article outlines the steps to configure Liferay Portal 6.2 EE as a SAML Identity Provider (IdP) and a SAML Service Provider (SP).

NOTE: The SAML specification supports using a URL as the SAML IdP and SP entity ID, however, the Liferay SAML 2.0 Provider does not support URLs as the entity ID, it must be a plain label.

 

Scenario

You wish to test the use of SAML as the Single Sign-On (SSO) service for your environment.

You want to configure Liferay Portal 6.2 EE as a SAML IdP and SAML SP.

 

Test Environment

LP SAML IdP

• Using Liferay Portal 6.2 EE SP10 (6.2.10.11) + Apache Tomcat 7.x bundle
  • NOET: Available from Liferay Customer Portal
  • NOTE: Listening on port 8080 (default)

LP SAML SP

• Using Liferay Portal 6.2 EE SP10 (6.2.10.11) + Apache Tomcat 7.x bundle
  • NOTE: Available from Liferay Customer Portal
  • NOTE: Listening on port 9080 (custom)

Liferay SAML 2.0 Provider

• Liferay SAML 2.0 Provider EE 2.1.0
  • NOTE: The SAML plugin will be deployed to LP SAML IdP and LP SAML SP

Web browsers

• Mozilla Firefox
  • NOTE: This will be the first web browser used for accessing LP SAML IdP (port 8080)
• Google Chrome (second web browser)
  • NOTE: This will be the second web browser used for accessing LP SAML SP (port 9080)
     

Configuration

Configuration is based on the following articles:

• Liferay Portal 6.2 User Guide - Integrating Existing Users into Liferay - SAML
• Setting up Liferay Portal 6.1 EE as an IdP
• Setting up Liferay Portal 6.1 EE as a SP

Configuration Tasks

1/ Install Liferay Portal as SAML IdP

• LP SAML IdP installed under /opt/lportal/saml-idp
• LP SAML IdP listening on port 8080

2/ Install Liferay Portal as SAML SP

• LP SAML SP installed under /opt/lportal/saml-sp
• LP SAML SP listening on port 9080

3/ Configure Liferay Portal as SAML IdP

• NOTE: LP SAML plugin is configured as SAML IdP
• NOTE: LP SAML IdP contains references to LP SAML SP

 

4/ Test LP SAML IdP

Add test user to LP SAML IdP.

 

5/ Configure Liferay Portal as SAML SP

• NOTE: LP SAML plugin is configured as SAML SP
• NOTE: LP SAML SP contains references to LP SAML IdP

6/ Test LP SAML SP.

Add test user to LP SAML SP.

7/ Test SAML SSO with test user.

Test SAML SSO with test user.

 

Install Liferay Portal 6.2 EE as SAML IdP

PENDING: SAML 2.0 EE plugin UI

1/ Create LP SAML SP installation folder

e.g.

/opt/lportal/saml-idp

2/ Extract LP + TC bundle

e.g.

/opt/lportal/saml-idp/liferay-portal-6.2-ee-sp10

3/ Configure Apache Tomcat

no changes, use defaults

4/ Confirm TC is listening on port 8080 (default)

Review TC log file for warnings or errors.
 

5/ Start portal

 

6/ Connect to portal on port 8080 (default) with first web browser and confirm portal is available.

http://localhost:8080/

7/ Sign in as admin user

e.g. test@liferay.com

8/ Install Liferay SAML 2.0 Provider EE plugin

Install Liferay SAML 2.0 Provider EE plugin (saml-portlet.war)

9/ Confirm SAML plugin installed

Control Panel > Configuration > SAML Admin

10/ Rename default portal site to assist with testing.

Navigate to "Control Panel > Sites > Liferay".

Rename site from "Liferay" to "Liferay SAML IdP".

11/ Configure SAML portal logging

How to trace the Liferay SAML 2.0 Provider EE plugin

12/ Stop portal

Stop portal.

Install Liferay Portal 6.2 EE as SAML SP

TODO: Update steps with GUI configuration in SAML 2.0 EE plugin.

1/ Create LP SAML SP installation folder

e.g.

/opt/lportal/saml-sp/liferay-portal-6.2-ee-sp10

2/Configure Apache Tomcat

FILE: /opt/lportal/saml-sp/liferay-portal-6.2-ee-sp10/tomcat/conf/server.xml

3/ Edit server.xml file and update ports

** web server port from 8005 to 9005 (custom)
** connector port from 8080 to 9080 (custom)
** redirect port from 8443 to 9443 (custom)
** AJP connector port from 8009 to 9009 (custom)

4/ Start portal

5/ Confirm TC is listening on port 9080 (custom)

Review TC log file for warnings or errors.

6/ Connect to portal on port 9080 (custom) with second web browser and confirm portal is available.

http://localhost:9080/

7/ Sign in as admin user

8/ Install Liferay SAML 2.0 Provider EE plugin

 

9/ Confirm SAML plugin installed

Control Panel > Configuration > SAML Admin

10/ Rename default portal site to assist with testing.

Navigate to "Control Panel > Sites > Liferay".

Rename site from "Liferay" to "Liferay SAML SP".

11/ Configure SAML portal logging
 

 

Configure LP SAML IdP

1/ Connect to LP SAML IdP

http://localhost:8080/

2/ Sign in as admin ussr

 

3/ Navigate to SAML admin console

Control Panel > Configuration > SAML Admin

4/ Select General tab (default)

5/ Select "Identity Provider" for SAML Role

 

6/ Enter "samlidp" for SAML Entity ID

7/ Click Save button

 

8/ Update Certificate and Private Key details

In the Certificate and Private Key section, enter the following:

• Common Name: samlidp
• Organization: samlidp
• Organization Unit: {leave blank}
• Locality: {leave blank}
• State: {leave blank}
• Country: USA
• Validity (days) (Required): 356
• Key Algorithm: RSA
• Key Length (Bits): 2048
• Key Password (Required): samlidp

    

9/ Configure SAML SP

 

• Name : samlsp
• Entity ID : samlsp
  • NOTE: SAML SP entity name must be a plan text label.
  • NOTE: Liferay Portal 6.2 SAML 2.0 EE Provider does not support URLs for entity name.
• Metadata URL : http://localhost:9080/c/portal/saml/metadata   (NOTE: SAML SP listening on port 9080)

10/ Add SAML test user

NOTE: Manual user creation required when LDAP disabled to ensure user exists in LP SAML IdP and LP SAML SP

• Email Address : saml.user@permeance.com.au
• First Name : SAML
• Last Name : User
• Password : test

 

Configure LP SAML SP

1/ Connect to LP SAML SP

e.g .

http://localhost:9080/
 

2/ Sign in as admin ussr

Control Panel > Configuration > SAML Admin

3/ Select General tab (default)

4/ Select "Identity Provider" for SAML Role

5/ Enter "samlsp" for SAML Entity ID

6/ Click Save button

 

7/ Update Certificate and Private Key details

In the Certificate and Private Key section, enter the following:

• Common Name: samlsp
• Organization: samlsp
• Organization Unit: {leave blank}
• Locality: {leave blank}
• State: {leave blank}
• Country: AU
• Validity (days)(Required): 356
• Key Algorithm: RSA
• Key Length (Bits): 2048
• Key Password (Required): samlsp    

8/ Add SAML test user

NOTE: Manual user creation required when LDAP disabled to ensure user exists in LP SAML IdP and LP SAML SP

• Email Address : saml.user@permeance.com.au
• First Name : SAML
• Last Name : User
• Password : test

 

Testing

Test Case - Test login to LP SAML SP as SAML user

Scenario

We wish to test the SAML SSO for LP SAML SP using the SAML user.

We expect the SAML user can authenticate using password "samlidp".

NOTE: SAML user password "samlidp" is registered with LP SAML IdP, hence it is valid for authentication with LP SAML IdP.

Steps

1/ Connect to LP SAML SP

e.g.

http://localhost:9080/

2/ Sign in as SAML ussr (saml.user@liferay.com) via sign in link (top right of page)

3/ Expected outcome : Authentication passes

4/ Actual outcome : Authentication passes

5/ Test outcome : PASS

* NOTE: Portal users registered with LP SAML SP can still sign in via Sign In Portlet, which authenticates using portal database, not SSO.

 

Test Case - Test login to LP SAML SP as SAML SP user (samlsp)

Scenario

We wish to test the SAML SSO for LP SAML SP using the SAML SP user.

We expect the SAML user cannot authenticate using password "samlsp".

NOTE: SAML user password "samlsp" is registered with LP SAML SP, hence it is invalid for authentication with LP SAML IdP.

Steps

1/ Connect to LP SAML SP

e.g.

http://localhost:9080/

2/ Sign in as SAML SP ussr (samlsp) via sign in link (top right of page)

3/ Expected outcome : authentication fails

4/ Actual outcome : authentication fails

5/ Test outcome : PASS

Summary

Only valid portal user registered with SAML IdP can sign in via sign in link

* NOTE: Portal users registered with LP SAML SP can still sign in via Sign In Portlet, which authenticates using portal database, not SSO.

 

Known Liferay Portal SAML 2.0 EE Provider Limitations

Liferay SAML 2.0 EE Provider does not support URLs for Entity ID

Issue

The SAML 2.0 specification recommends using URLs as the SAML Entity ID

8.3.6 Entity Identifier

URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Indicates that the content of the element is the identifier of an entity that provides SAML-based services
(such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service
provider supporting the browser SSO profile). Such an identifier can be used in the <Issuer> element to
identify the issuer of a SAML request, response, or assertion, or within the <NameID> element to make
assertions about system entities that can issue SAML requests, responses, and assertions. It can also be
used in other elements and attributes whose purpose is to identify a system entity in various protocol
exchanges.
The syntax of such an identifier is a URI of not more than 1024 characters in length. It is
RECOMMENDED that a system entity use a URL containing its own domain name to identify itself.
The NameQualifier, SPNameQualifier, and SPProvidedID attributes MUST be omitted.

The Liferay SAML 2.0 EE Provider does not support URLs for Entity ID.

If you attempt to use a URL, the SAML plugin will throw a Null Pointer Exeception (NPE).

Workaround

Use a plain text label (URI) as the SAML Entity ID.

 

LRDOCS-1918 - Add SAML plugin troubleshooting documentation to Liferay Portal 6.2 User Guide

Issue

Liferay Portal documentation is missing details to assist users with tracing SAML plugin issues.

A documentation request is pending, as per ticket LRDOCS-1918 - Add SAML plugin troubleshooting documentation to Liferay Portal 6.2 User Guide

 

References

• Liferay Portal 6.2 User Guide - Integrating Existing Users into Liferay - SAML
• Liferay Blog - Setting up Liferay Portal 6.1 EE as a SP
• Liferay Blog - Setting up Liferay Portal 6.1 EE as an IdP
• Permeance Blog - How to trace the Liferay SAML 2.0 Provider EE plugin
• Wikipedia - SAML
• OASIS Security Services (SAML) TC
• LRDOCS-1918 - Add SAML plugin troubleshooting documentation to Liferay Portal 6.2 User Guide
• LRDOCS-1527 - Request to update the current documentation links for the SAML 2.0 Provider EE plugin in Marketplace
• LRDOCS-1539 - Only use SAML UI to create keystore
• LPS-59199 - There is no ability to "clear" the SAML IdP metadata URL or metadata XML content columns from the SAML database table "SamlSpIdpConnection"
• What to present at SAML EntityID URL?
• SAML 2.0 Specification - Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0