ADFS Liferay DXP Integration

Introduction

This blog covers Liferay DXP SP4 integration with Microsoft ADFS (2.0) through SAML 2.0 (Liferay SAML plugin 3.1.1). Please note as per new update in Liferay SAML plugin, you don't require to restart the server post any changes at Liferay end. Also, in this blog Liferay is registered as Service Provider and ADFS as Identity Provider.

This article is inspiration and collaboration of following references.

  1. https://web.liferay.com/web/a.s/blog/-/blogs/adfs-dxp
  2. https://web.liferay.com/web/sandeep.sapra/blog/-/blogs/sso-in-liferay-dxp-using-saml
  3. Liferay SAML customer documentation (only available with licensed customers)
  4. https://support.zendesk.com/hc/en-us/articles/203663886-Setting-up-single-sign-on-using-Active-Directory-with-ADFS-and-SAML-Professional-and-Enterprise-

Integration steps

  • ADFS needs to register Liferay Application first as relying party trust manually ONLY. Below are the errors when you don't enter details manually.

 

Figure-1: ADFS import metadata URL error

Figure2: Error while registering Liferay metadata in ADFS through URL

  • During manual registration you have enter Liferay's SP EntityID, Certificate properly. Once you register Liferay's SP SAML metadata, just confirm following points carefully.

Figure3: Identifiers - This should be Liferay saml metadata's "EntityID".

Figure4: Liferay by default works with SHA encryption.

Figure5: Endpoints. Remember ONLY 1 assertion and 1 logout endpoint is allowed by Liferay.

Figure6: ADFS's SAML endpoint assertion details.

Figure7: SAML logout endpoints.

  • Add following claim rules against registered relying party trust. First is LDAP claim rule and second is NameID transformation.

Figure8: LDAP attribute mapping claim rule at ADFS.

Figure9: NameID transformation claim rule.

Figure10: All claim rules at ADFS. Remember the sequence of claim rules, SAML doesn't like change in this sequence. NameID rule should always be last.

  • Now execute following 2 commands from ADFS server's powershell.
Set-AdfsRelyingPartyTrust -TargetName "www.my-site.com" -SamlResponseSignature MessageAndAssertion

Command1: This forces ADFS to sign all saml response of Liferay's Replying party trust.

set-ADFSRelyingPartyTrust –TargetName "TESTX" –EncryptClaims $False

Command2: This allows ADFS SAML response's assertion to be in decrypted form which can be by Liferay.

  • Register ADFS as Identity Provider at Liferay's SAML Admin section.

Figure11: NameID and attribute mapping at Liferay end for ADFS. Take note of Liferay attributes on right-side of equals operator.

  • Re-verify Liferay's service provider setting

Figure12: Liferay Service Provider settings

  • One last step of configuration is importing of ADFS certificate into Liferay's SAML. By default SAML's certificate is generate at /data folder of Liferay Home. Execute below command to import ADFS certificate.

keytool -importcert -alias ssoselfsigned -file sso-certificate.cer -keystore keystore.jks

  • Please remember password while importing is "liferay"
  • Since ADFS is IdP and Liferay is SP, in this scenario ADFS SSO initiated sign-in and sign-out URL should be used.

Sign-in URL: https://example.sso.com/adfs/ls/idpinitiatedsignon.aspx?RelayState={logged-in-page-liferay}

Sign-out URL: https://example.sso.com/adfs/ls/?wa=wsignout1.0