To change the SAML Service Provider Settings, navigate to the Service Provider tab.
The Service Provider tab includes these options:
Require Assertion Signature?: Check this box to require SAML assertions to be individually signed in addition to the entire SAML message.
Clock Skew: Clock skew is a tolerance in milliseconds used by the Service Provider for mitigating time differences between the clocks of the Identity Provider and the Service Provider. This usually only matters when assertions have been made to expire very quickly.
LDAP Import Enabled: Check this box to import user information from the
configured LDAP connection based on the resolved NameID
. LDAP connections can be
configured from Instance Settings.
Sign Authn Requests: Check this box to sign the AuthnRequest
even if the
Identity Provider metadata indicates that it’s not required.
Sign Metadata: Check this box to sign the metadata XML file.
SSL Required: Check this box to reject SAML messages that are not sent over HTTPS. This does not affect how URLs are generated.
Changing the SAML Identity Provider Connection Settings
To configure Liferay DXP’s SAML Identity Provider Settings, navigate to the Identity Provider Connection tab of the SAML Admin portlet and click the Edit action button on the IdP you want to configure.
Name: The name of the Identity Provider with which to connect.
Entity ID: The Identity Provider’s entity ID. This value must match the entity ID declared in the Identity Provider metadata.
Enabled: Check the box to enable this IdP.
Clock Skew: Clock skew is a tolerance in milliseconds used by the Service Provider for mitigating time differences between the clocks of the Identity Provider and the Service Provider. This usually only matters when assertions have been made to expire very quickly.
Force Authn: Check this box to have the Service Provider ask the Identity Provider to re-authenticate the user before verifying the user.
Metadata: You can provide a URL to the Identity Provider metadata XML file or you can manually upload it. If you provide a URL, the XML file is automatically retrieved and periodically polled for updates. You can change the update interval in System Settings by modifying the Runtime Metadata Refresh Interval property which specifies a number of seconds. If fetching the metadata XML file by URL fails, you can’t enable the Identity Provider connection. If the metadata is inaccessible via URL, you can upload the XML file manually. In this case, the metadata XML file is not updated automatically.
Name Identifier Format: Choose the Name Identifier Format used in the SAML
Response. Set this according to what the Service Provider expects to receive.
For Liferay Service Providers, selections other than email address indicate
that the Name Identifier refers to screen name. The formats don’t have any
special meaning to Liferay Identity Providers. The Name Identifier attribute
defines the NameID
value.
Attribute Mapping: Attribute mapping is done from the attribute name or
friendly name in the SAML Response to the Liferay DXP attribute name. For example,
if you want to map a response attribute named mail
to the Liferay DXP attribute
emailAddress
, enter the following mapping:
mail=emailAddress
Available Liferay DXP attributes are: emailAddress
, screenName
, firstName
,
lastName
, modifiedDate
, and uuid
.
Keep Alive URL: If users are logged into several Liferay DXP SP instances via
a Liferay DXP IdP, their sessions can be kept alive as long as they keep a browser
window open to one of them. Configure this only if the IdP is Liferay DXP. The URL
is https://[IdP host name]/c/portal/saml/keep_alive
. On the Liferay DXP IdP,
configure this URL the same way, but point back to this SP.
Save your changes when you are finished configuring the Liferay DXP instance as a service provider. There is no need to restart the server: the changes are applied immediately.
Make the above configurations through the SAML Control Panel interface and not via properties. Some features of the Liferay Connector to SAML 2.0 app are not available as properties.