This website uses cookies to ensure you get the best experience. Learn More.
How to configure Liferay Portal 6.2 EE as SAML IdP and SAML SP
According to Wikipedia, the Security Assertion Markup Language (SAML), pronounced "sam-el" is, "... an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider." The SAML protocol can be used to implement a SSO authentication service. This article outlines the steps to configure Liferay Portal 6.2 EE as a SAML Identity Provider (IdP) and a SAML Service Provider (SP).
NOTE: The SAML specification supports using a URL as the SAML IdP and SP entity ID, however, the Liferay SAML 2.0 Provider does not support URLs as the entity ID, it must be a plain label.
You wish to test the use of SAML as the Single Sign-On (SSO) service for your environment. You want to configure Liferay Portal 6.2 EE as a SAML IdP and SAML SP.
Configuration is based on the following articles:
Add test user to LP SAML IdP.
Add test user to LP SAML SP.
Test SAML SSO with test user.
PENDING: SAML 2.0 EE plugin UI
e.g. /opt/lportal/saml-idp
e.g. /opt/lportal/saml-idp/liferay-portal-6.2-ee-sp10
no changes, use defaults
Review TC log file for warnings or errors.
http://localhost:8080/
e.g. test@liferay.com
Install Liferay SAML 2.0 Provider EE plugin (saml-portlet.war)
Control Panel > Configuration > SAML Admin
Navigate to "Control Panel > Sites > Liferay". Rename site from "Liferay" to "Liferay SAML IdP".
How to trace the Liferay SAML 2.0 Provider EE plugin
Stop portal.
TODO: Update steps with GUI configuration in SAML 2.0 EE plugin.
e.g. /opt/lportal/saml-sp/liferay-portal-6.2-ee-sp10
FILE: /opt/lportal/saml-sp/liferay-portal-6.2-ee-sp10/tomcat/conf/server.xml
** web server port from 8005 to 9005 (custom) ** connector port from 8080 to 9080 (custom) ** redirect port from 8443 to 9443 (custom) ** AJP connector port from 8009 to 9009 (custom)
http://localhost:9080/
Navigate to "Control Panel > Sites > Liferay". Rename site from "Liferay" to "Liferay SAML SP".
In the Certificate and Private Key section, enter the following:
NOTE: Manual user creation required when LDAP disabled to ensure user exists in LP SAML IdP and LP SAML SP
e.g .
We wish to test the SAML SSO for LP SAML SP using the SAML user.
We expect the SAML user can authenticate using password "samlidp".
NOTE: SAML user password "samlidp" is registered with LP SAML IdP, hence it is valid for authentication with LP SAML IdP.
1/ Connect to LP SAML SP
e.g.
2/ Sign in as SAML ussr (saml.user@liferay.com) via sign in link (top right of page)
3/ Expected outcome : Authentication passes
4/ Actual outcome : Authentication passes
5/ Test outcome : PASS
* NOTE: Portal users registered with LP SAML SP can still sign in via Sign In Portlet, which authenticates using portal database, not SSO.
We wish to test the SAML SSO for LP SAML SP using the SAML SP user.
We expect the SAML user cannot authenticate using password "samlsp".
NOTE: SAML user password "samlsp" is registered with LP SAML SP, hence it is invalid for authentication with LP SAML IdP.
http://localhost:9080/ 2/ Sign in as SAML SP ussr (samlsp) via sign in link (top right of page)
3/ Expected outcome : authentication fails
4/ Actual outcome : authentication fails
Only valid portal user registered with SAML IdP can sign in via sign in link
The SAML 2.0 specification recommends using URLs as the SAML Entity ID
8.3.6 Entity Identifier URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). Such an identifier can be used in the <Issuer> element to identify the issuer of a SAML request, response, or assertion, or within the <NameID> element to make assertions about system entities that can issue SAML requests, responses, and assertions. It can also be used in other elements and attributes whose purpose is to identify a system entity in various protocol exchanges. The syntax of such an identifier is a URI of not more than 1024 characters in length. It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself. The NameQualifier, SPNameQualifier, and SPProvidedID attributes MUST be omitted.
The Liferay SAML 2.0 EE Provider does not support URLs for Entity ID.
If you attempt to use a URL, the SAML plugin will throw a Null Pointer Exeception (NPE).
Use a plain text label (URI) as the SAML Entity ID.
Liferay Portal documentation is missing details to assist users with tracing SAML plugin issues.
A documentation request is pending, as per ticket LRDOCS-1918 - Add SAML plugin troubleshooting documentation to Liferay Portal 6.2 User Guide