This website uses cookies to ensure you get the best experience. Learn More.
ADFS Liferay DXP Integration
Introduction
This blog covers Liferay DXP SP4 integration with Microsoft ADFS (2.0) through SAML 2.0 (Liferay SAML plugin 3.1.1). Please note as per new update in Liferay SAML plugin, you don't require to restart the server post any changes at Liferay end. Also, in this blog Liferay is registered as Service Provider and ADFS as Identity Provider.
This article is inspiration and collaboration of following references.
Integration steps
Figure-1: ADFS import metadata URL error
Figure2: Error while registering Liferay metadata in ADFS through URL
Figure3: Identifiers - This should be Liferay saml metadata's "EntityID".
Figure4: Liferay by default works with SHA encryption.
Figure5: Endpoints. Remember ONLY 1 assertion and 1 logout endpoint is allowed by Liferay.
Figure6: ADFS's SAML endpoint assertion details.
Figure7: SAML logout endpoints.
Figure8: LDAP attribute mapping claim rule at ADFS.
Figure9: NameID transformation claim rule.
Figure10: All claim rules at ADFS. Remember the sequence of claim rules, SAML doesn't like change in this sequence. NameID rule should always be last.
Set-AdfsRelyingPartyTrust -TargetName "www.my-site.com" -SamlResponseSignature MessageAndAssertion
Command1: This forces ADFS to sign all saml response of Liferay's Replying party trust.
set-ADFSRelyingPartyTrust –TargetName "TESTX" –EncryptClaims $False
Command2: This allows ADFS SAML response's assertion to be in decrypted form which can be by Liferay.
Figure11: NameID and attribute mapping at Liferay end for ADFS. Take note of Liferay attributes on right-side of equals operator.
Figure12: Liferay Service Provider settings
keytool -importcert -alias ssoselfsigned -file sso-certificate.cer -keystore keystore.jks
Sign-in URL: https://example.sso.com/adfs/ls/idpinitiatedsignon.aspx?RelayState={logged-in-page-liferay}
Sign-out URL: https://example.sso.com/adfs/ls/?wa=wsignout1.0