Using MS ADFS & Liferay SAML Integration

Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber.

This article documents a proof of concept for setting up a Digital Experience Platform (DXP) instance as a SAML Service Provider (SP) connected to Microsoft Active Directory Federated Service (ADFS) as an Identity Provider (IdP). This implementation enables users to execute a Single Sign On (SSO) action from Liferay DXP. 

This article is a general checklist and proof of concept implementation.  Administrators should always consult third-party documentation pertaining to ADFS before starting this process.

Resolution

For demonstration purposes, we used Apache Tomcat as our application server; some of the steps are for Tomcat 8.0 or 9.0 but can still be adapted for other application servers.

Checklist

  1. Verify ADFS Settings
  2. Create Aliases
  3. Enable HTTPS
  4. Configure DXP 7.x as SP
  5. Adding the Relying Party Trust to ADFS
  6. Create a Signature to the SAML Response
  7. Execute SSO from the Service Provider

Verify ADFS Settings

  1. Verify that ADFS has been configured correctly initially.
  2. Verify that all the users and their credentials have been created or imported into the ADFS server. This is extremely important because SSO/SLO depends on matching users and credentials between ADFS and the Liferay instance serving as the SP.
  3. Verify that all the users are active.
  4. Obtain either the federation-metadata.xml or the URL. This needs to be imported into DXP 7.x.

Create Aliases

As a best practice, we discovered that IP addresses could not be used as an alias. Rather, it was necessary to create an alias, or reuse a generic host name, in the hosts file:

{IP address} | {domain name}
for example: 192.168.84.139 | liferay-bdba6af.testdom.local

Enable HTTPS

It is necessary to enable HTTPS in the application server.

  1. Generate the Java .keystore and put it in a folder.
  2. Navigate to the ${tomcat_home}/conf/server.xml file.
  3. Enter
    <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" keystoreFile="[keystore_dir]/.keystore" keystorePass="[key_password]" />
    
    where {keystore_dir} refers to the folder where the keystore is (for example, C:/users/liferay/documents) and keystorePass="[key_password]" refers to the keystore's password.
  4. Enable the secure ports to be directed to *443. In Tomcat, this is usually 8443; in WebSphere, usually 9443. Enter
    <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" URIEncoding="UTF-8" />
    

Configure DXP 7.x as SP

Documentation already exists to guide administrators in configuring Liferay DXP as a SAML Service Provider. Obviously, remember to deploy the appropriate SAML Connector to the DXP instance first.

There are few things to note when it comes with integrating Liferay DXP with ADFS:

  1. When generating the SAML SP Metadata, verify HTTPS is used (https://liferay-bdba6af.testdom.local/c/portal/saml/metadata )
  2. Never check the Remember Me check box when signing in. This negates all SSO/SLO.
  3. The following settings have to be enabled on the Service Provider tab:
    • Assertion Signature Required
    • SSL Required
    • Enabled LDAP Import

    adfs_saml01.png
  4. On the Identity Provider tab, enter the following:
    • Name: ADFS
    • Entity ID: https://[ADFS server name]/FederationMetadata/2007-06/FederationMetadata.xml
    • Metadata URL: https://[ADFS server name]/FederationMetadata/2007-06/FederationMetadata.xml (Note: using the metadata URL enables uninterrupted integration by allowing the SP to receive updated metadata after any IdP changes.)
    • Name Identifier Format: Unspecified
    • Attribute Mapping:
      saml.sp.user.attribute.mappings=\http\\://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=emailAddress\n\http\\://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=firstName\n\http\\://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=lastName\n\http\\://schemas.xmlsoap.org/claims/CommonName=screenName
      				

Checkpoint:

  • ADFS is up and running.
  • An alias has been created.
  • HTTPS has been enabled on the application server.
  • A DXP 7.0 or 7.1 instance is running and the SAML Connector has been deployed.
  • The DXP 7.x instance has been configured as a SP.

Adding the Relying Party Trust to ADFS

Perhaps this is the most critical step where the SP's metadata is imported into ADFS. There is a CR Rule and a TR Rule which dictate the trust relationship and LDAP mappings.

CR Rule

LDAP Attribute Outgoing Claim Type
SAM-Account-Name Common Name
E-Mail-Address E-Mail Address
Given-Name Given Name
Surname Surname

TR Rule

When creating a TR Rule, enter the following:

  • Claim Rule: {whatever}
  • Rule Template: Transform an Incoming Claim
  • Incoming claim type: Common Name
  • Outgoing claim type: Name ID
  • Outgoing name ID format: Unspecified
  • Pass through all claim values

Create a Signature to the SAML Response

Requests from ADFS to Liferay must be signed.

The SamlResponseSignature MessageAndAssertion must be added to the Relying Party Trust. That way, the DXP SP instance can accept both signed messages and assertions as valid responses.

Execute SSO from the SP

Once ADFS and Liferay DXP are active, you can verify that they are indeed connected by using an SP initiated SSO. In the DXP instance, click the Sign In link. This should redirect into ADFS.

Was this article helpful?
4 out of 5 found this helpful