Blog Post

...

Liferay 7 DXP + SAML single sign-on (SSO)

Hi there, this post dedicated to the topic of SSO authentication within Liferay 7 DXP version. Single sign-on is a pretty popular property that allows users to access multiple applications using same credentials without re-login. And SAML is a language that allows cross-party communications to validate and authenticate a user.

To make SSO work our Liferay instance will be configured as an Identity Provider (IdP in terms of SAML) and a SimpleSAMLphp app that will serve as a Service Provider (SP).

1. As a first step after SimpleSAMLphp was installed, we need to configure our custom Authentication Source which is a SP actually.

An authentication source is responsible for authenticating the user, typically by getting a username and password, and looking it up in some sort of database.

Our Authentication Source should be added to /simplesamlphp/config/authsources.php:

'lr1dev-sp' => array(
    'saml:SP',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => null,
    
    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'lr1dev-saml-iprovider',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,
    
    'privatekey' => 'signmessages.pem',
    'certificate' => 'signmessages.crt',
),

Note: privatekey and certificate are custom-generated keys that are optional, but required for the case if you want to allow user to perform logout using IdP. Otherwise Request not signed exception will be thrown. See sign.logout in the next section.

2. In this step we should specify Entity Id of the target IdP (Liferay is our case) our SP will talk to. This entity Id is placed in /simplesamlphp/metadata/saml20-idp-remote.php:

$metadata['lr1dev-saml-iprovider'] = array(
    'SingleSignOnService'  => 'https://lr1dev.liferay.com/c/portal/saml/sso',
    'SingleLogoutService'  => 'https://lr1dev.liferay.com/c/portal/saml/slo',
    'certificate'          => 'custom-liferay-saml-iprovider.pem',
    'sign.logout' => true,
);

Here the ‘certificate’ attribute is optional, it may be used in some cases. In short – it’s a certificate for current IdP.

On this step, the configuration of SimpleSAMLapp is completed, now we can proceed to Liferay part.

3. We assume that Liferay SAML 2.0 Provider plugin is already installed within the Liferay instance. Now we need to configure it to server as an IdP. Navigate to Liferay SAML configuration, General tab, specify the id of the new IdP + generate private key/certificate (the generation of these keys is required):

1

4. Identity Provider tab should look so:

image      image

If there’s a need to retrieve custom fields (expandos) from IdP, we can add the following to the “Attributes” e.g. “expando:phone-number”.

5. Service provider tab. Add our source service provider (lr1dev-sp) metadata URL:

image

Alright, we are done with the configuration, it’s time to write a simple PHP page that will use our Service provider to authenticate user against Liferay IdP. Here’s the code:

<!DOCTYPE html>
<html>
    <head>
        <title>SAML Login</title>
    </head>
<body>

<h1>SAML test login</h1>

<?php

require_once('../../simplesamlphp/lib/_autoload.php');

#select our authentication source:
$as = new \SimpleSAML\Auth\Simple('lr1dev-sp');

#request authentication
$as->requireAuth();

#print credentials
$attributes = $as->getAttributes();
//print_r($attributes);

echo '<br/>Email address <b>' . $attributes["emailAddress"][0] . '</b> successfully authenticated on Liferay and logged back into application server.<br/><br/>';
?>

</body>
</html>

When we launch this app, we’ll be instantly redirected to Liferay login page and after successful login, we are redirected back to the app, where some Liferay user attributes are rendered.

That’s it, we configured Liferay 7 DXP coupled with the simpleSAMLphp app. I hope this post was useful.


Comments (4)

Tags: liferay


Comments:

...

dhekitha Jun 26, 2019 at 08:42 #

Impressive. Your story always bring hope and new energy. Keep up the good work.

...

jothikumar Jul 02, 2019 at 08:40 #

Wow, it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and I got more information from your blog.

...

jerlinejho Jul 20, 2019 at 15:29 #

I found this informative and interesting blog so I think so it's very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this article.

...

jhothi Aug 17, 2019 at 11:35 #

It is amazing and wonderful to visit your site. Thanks for sharing this information, this is useful to me...Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.

Leave a Comment