Setting up Liferay Portal 6.1 EE as an IdP

As a result of my recent Demo at our hungarian symposium in Budapest I want to show today how I used the SAML Portlet to setup a liferay portal instance as an Identity Provider talking SAML2.

My next blog will show the Service Provider part with the same portlet but different configuration and a second liferay bundle working on different ports locally.

In case you are interested in seeing how it works in conjunction with salesforce I can recommend the blog from Mika

Setup of a Liferay Identity Provider

For my installation I used a bundle and the SAML-Portlet from the customer portal.
 
First we need to setup a keystore, we gonna use the java keytool to create a keystore we can easily use from command line.
It is cruzial to create the key with the name of the IDP-entity we want to use in the portal-ext.properties. In this case we will use liferaysamlidpdemo
To have the keystore in a directory we can adress from liferay properties we can for ease of use execute the command in the liferay data directory
 
keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
 

The output looks like the following

 
MacBook-Pro:data xxx$ keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
 
What is your first and last name?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organizational unit?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organization?
  [Unknown]:  Liferay
What is the name of your City or Locality?
  [Unknown]:  wherever 
What is the name of your State or Province?
  [Unknown]:  wherever
What is the two-letter country code for this unit?
  [Unknown]:  XX
Is CN=Liferay SAML IdP Demo, OU=Liferay SAML IdP Demo, O=Liferay, L=wherever, ST=wherever, C=XX correct?
  [no]:  yes
 
Enter key password for <liferaysamlidpdemo>
(RETURN if same as keystore password):  
Re-enter new password: 
 
Next we need to bootstrap the SAML plugin in the portal-ext.properties
 
##
## SAML
##
 
# Enable SAML Plugin
saml.enabled=true
 
# Set the role to idp on the Identity Provider and to sp in the Service Provider
saml.role=idp
 
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=liferaysamlidpdemo
 
# We do not need SSL for this example, for production you would use a regular ssl certificate
saml.require.ssl=false
 
We also need a refererence to the keystore we setup earlier, therefore we need to add the following to portal-ext.properties
 
#
# Keystore
#
 
# keystore type
saml.keystore.type=jks
 
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystore.jks
 
# pwd for accessing the keystore
saml.keystore.password=liferay
 
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[liferaysamlidpdemo]=liferay
 

Next we need to enable the IDP part of the SAML-Plugin(still in portal-ext.properties)

 

#
# Identity Provider
#
 
# Enable the Identity Provider
saml.idp.enabled=true
 
# set the SAML authentication as required
saml.idp.authn.request.signature.required=true
 
# set the Identity Provider entitiy id
saml.idp.entity.id=liferaysamlidpdemo
 
We also need to register the Service Providers ( Part 2) to the IdP, which can be done like that in portal-ext.properties
 
# The metadata locations for the known Service providers. In case of liferay
# we can point to the metadataservice of the plugin, in this case we already setup the SP,
# which is just another instance of liferay with the same plugin running in sp mode.
saml.metadata.paths=\
http://beta.test.com:9080/c/portal/saml/metadata
 
saml.idp.metadata.attributes.enabled[liferaysamlspdemo]=true
saml.idp.metadata.attribute.names[liferaysamlspdemo]=screenName,firstName,lastName,emailAddress,uuid
saml.idp.metadata.session.keepalive.url[liferaysamlspdemo]=http://beta.test.com:9080/c/portal/saml/sp/keepalive
3
Blogs
Note: saml.idp.metadata.attribute.names must be given with "\n" as the separator, otherwise the attribute names will not be correctly split. See MetadataManagerImpl.getAttributeNames(), where StringUtil.splitLines() is used. (codebase: saml-portlet-6.1.20.3-ee-ga3)
Hi Armin, nice blog seems informative and I want to try it out . But I need to find the Liferay SAML 2.0 portlet compatible with Liferay Portal 6.1 EE GA2. Can you tell mewhich version of Liferay SAML 2.0 would work and where I can download it ??
Hi,
I have a scenario where i have to add service provider with same entity ID of the existing metadata file. This is causing conflict in picking up the metadata file. Its the same vendor for two different products and hence the endpoint URL is different but same entity ID. This cause liferay saml plugin to pick the wrong metadata file. Any help is highly appreciated.