Liferay as SP and OpenAM as IDP Using SAML 2.0

In this blog we will configure OpenAM as Identity provider and Liferay as Service Provider using SAML 2.0.

Follow below steps :

Download OpenAM 11.0.0 war file from https://backstage.forgerock.com/#/downloads
Deploy the war file in Tomcat (Lets say Port 8081).
Increase heap and param space.
Start the server and hit http://localhost:8081/OpenAM-11.0.0/ in the browser.
You will be redirected to http://localhost:80 81/OpenAM-11.0.0/config/options.htm

Click on "Create default Configuration".

Provide password as shown in above diagram and click on create configuration.
After successfull completion page redirects to http://localhost:8081/OpenAM-11.0.0/UI/Login.
Provide username as amadmin and password as liferaypassword.
Now Open Liferay (I am using 6.2 which is running on port 8080).
Deploy SAML plugin.
Add below properties in portal-ext.properties :

saml.enabled=true

saml.role=sp

saml.entity.id=test

saml.metadata.paths=http://localhost:8081/OpenAM-11.0.0/saml2/jsp/exportmetadata.jsp

# # Keystore #

saml.keystore.type=jks

saml.keystore.path=/OpenAM-11.0.0/OpenAM-11.0.0/keystore.jks

saml.keystore.password=changeit

saml.keystore.credential.password[test]=changeit

# # Service Provider #

saml.sp.default.idp.entity.id=http://localhost:8081/OpenAM-11.0.0

saml.sp.sign.authn.request=true

saml.sp.assertion.signature.required=false

saml.sp.clock.skew=3000

saml.sp.user.attribute.mappings=screenName=uid\nemailAddress=mail\nfirstName=givenname\nlastName=sn

Restart Liferay server.
To configure OpenAM as IDP go to http://localhost:8081/OpenAM-11.0.0/task/Home
On the Common Tasks page, click on Create Hosted Identity Provider.

Now click on Register Remote Service Provider.

After registering Remote Service Provider, click on Federation tab , your screen should look like:

Now click on http://localhost:8081/OpenAM-11.0.0 link available under Entity Providers and make sure following settings are checked, If not then mark it checked

Now click on test link available under Entity Providers table and make sure following settings are checked, If not then mark it checked

Now go to Liferay Server and create a user with below details :

Now update the same user details in OpenAM, Go to Access Control tab.
Click the / (Top Level Realm) realm.
Select the Subjects tab.
Click on demo user.
Update first name as "demo" and emailaddress as "demo@liferay.com" and Save it.

Now Open a new browser clear all cache and hit http://localhost:8080/.
Click on SignIn link from Top right corner.
It will redirect you to OpenAM login page.
Fill username as demo and password as changeit.
It will be authenticated and redirected to Liferay successfully.

Thank You!!!

4 Comments

Please sign in to comment.

Hey Mohit,

Since i just succeeded in setting up Shibboleth by SAML, and knew OpenAM is supported by default Liferay not using SAML , i thought of toying with SAML on OpenAm myself to find your post JIT.

Thanks a bunch this saves me i night, and gives me a chance to discover new ideas i thought up with Sampsa today.

C.heers

Please sign in to reply.

Hi Mohit,
This is Amey.
The steps you have mentioned is straight forward but I am getting error as "null document" when I click configure button while creating "Create a SAMLv2 Remote Service Provider". On tomcat command prompt I can see error as "[Fatal Error] :1:1: Content is not allowed in prolog.".

May you please guide me.

Please sign in to reply.

hi,
After following this document ran to same issue , can you please guide me?

Please sign in to reply.

Hey Guys,

In case someone is getting the "null document" issue while Registering Remote Service Provider, please provide the protocol along with the URL in the tab "URL where Metadata is located". For Eg:
http://localhost:8080/c/portal/saml/metadata

Hope it helps.

Thanks,
Akash

Please sign in to reply.

Menu Display

Blogs

Category Filter

More Blog Entries

Vaadin 7.3 for Liferay released

4 reasons you might want to checkout tomorrow's dev.life session