Liferay 7 DXP + SAML single sign-on (SSO)
by Stanislav on Tuesday May 01, 2018
Hi there, this post dedicated to the topic of SSO authentication within Liferay 7 DXP version. Single sign-on is a pretty popular property that allows users to access multiple applications using same credentials without re-login. And SAML is a language that allows cross-party communications to validate and authenticate a user.
1. As a first step after SimpleSAMLphp was installed, we need to configure our custom Authentication Source which is a SP actually.
An authentication source is responsible for authenticating the user, typically by getting a username and password, and looking it up in some sort of database.
Our Authentication Source should be added to /simplesamlphp/config/authsources.php:
'lr1dev-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => null, // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'lr1dev-saml-iprovider', // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => null, 'privatekey' => 'signmessages.pem', 'certificate' => 'signmessages.crt', ),
Note: privatekey and certificate are custom-generated keys that are optional, but required for the case if you want to allow user to perform logout using IdP. Otherwise Request not signed exception will be thrown. See sign.logout in the next section.
2. In this step we should specify Entity Id of the target IdP (Liferay is our case) our SP will talk to. This entity Id is placed in /simplesamlphp/metadata/saml20-idp-remote.php:
$metadata['lr1dev-saml-iprovider'] = array( 'SingleSignOnService' => 'https://lr1dev.liferay.com/c/portal/saml/sso', 'SingleLogoutService' => 'https://lr1dev.liferay.com/c/portal/saml/slo', 'certificate' => 'custom-liferay-saml-iprovider.pem', 'sign.logout' => true, );
Here the ‘certificate’ attribute is optional, it may be used in some cases. In short – it’s a certificate for current IdP.
On this step, the configuration of SimpleSAMLapp is completed, now we can proceed to Liferay part.
3. We assume that Liferay SAML 2.0 Provider plugin is already installed within the Liferay instance. Now we need to configure it to server as an IdP. Navigate to Liferay SAML configuration, General tab, specify the id of the new IdP + generate private key/certificate (the generation of these keys is required):
4. Identity Provider tab should look so:
If there’s a need to retrieve custom fields (expandos) from IdP, we can add the following to the “Attributes” e.g. “expando:phone-number”.
5. Service provider tab. Add our source service provider (lr1dev-sp) metadata URL:
Alright, we are done with the configuration, it’s time to write a simple PHP page that will use our Service provider to authenticate user against Liferay IdP. Here’s the code:
<!DOCTYPE html> <html> <head> <title>SAML Login</title> </head> <body> <h1>SAML test login</h1> <?php require_once('../../simplesamlphp/lib/_autoload.php'); #select our authentication source: $as = new \SimpleSAML\Auth\Simple('lr1dev-sp'); #request authentication $as->requireAuth(); #print credentials $attributes = $as->getAttributes(); //print_r($attributes); echo '<br/>Email address <b>' . $attributes["emailAddress"] . '</b> successfully authenticated on Liferay and logged back into application server.<br/><br/>'; ?> </body> </html>
When we launch this app, we’ll be instantly redirected to Liferay login page and after successful login, we are redirected back to the app, where some Liferay user attributes are rendered.
That’s it, we configured Liferay 7 DXP coupled with the simpleSAMLphp app. I hope this post was useful.