Issue
- This article describes a use case where it may be desirable to allow some users to authenticate through a SAML Identity Provider (IdP) only, while other users authenticate with their Liferay credentials in the Login portlet.
Environment
- Liferay DXP 7.4
Resolution
- While the solution to this is not explicitly available out of the box, a workaround is available.
- After enabling Liferay as the Service Provider (SP) and connecting it to an Identify Provider (IdP), ensure that the "Allow showing the login portlet" setting is enabled in the Service Provider settings. Doing this will allow the login portlet to be displayed when there are no matches to the SAML IdP login request.
The official explanation of this property is as follows:
"Allow the login portlet to appear when no SAML IdP is matched to the login request. Users in this scenario log in locally to Liferay DXP." - If you would like the users who are authenticating via SAML to only be able to authenticate by SAML (as opposed to their Liferay password through the Login Portlet), change those users' Liferay passwords through Control Panel > Users and Organizations, modifying the passwords of those who wish to authenticate via SAML only.
- What will happen is that the users who authenticate via SAML will have their credentials authenticated via the Identity Provider. The remaining users who do not have entries within the SAML IdP will be redirected to the fallback and authenticate with their Liferay credentials.
Additional Information
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In