This article documents the way to configure Liferay DXP 7.x as a Service Provider working with two SSO protocols (Okta using SAML 2.0 and Google OpenID Connect). The basic configuration can be achieved within Liferay out of the box, but extra custom code is required to make it fully functional. Both aspects are described in this article.
Basic Configuration
Okta – Liferay integration using SAML 2.0
Okta as an Identity provider and Liferay DXP as a Service Provider.
Step 1 - Okta Account Creation
- Create a test Okta account by clicking this link https://developer.okta.com/signup/. It will navigate to the Okta website.
- After providing the required details, the entered email address will be notified for Okta developer account Activation. By clicking Activate your account it will activate the account and navigate to Okta developer console.
Step 2 - Creation of Application in Okta
- On the left menu, click on Applications -> Applications > Create App Integration > Check SAML 2.0 (Since we are using SAML to integrate)
- Edit SAML integration will come up. In General Settings, provide the app name and upload the logo if you want to display it for your application then check the app visibility based on your use case and click Next.
- This will move you to the Configure SAML page. Below are some important fields which are required to configure.
- Click on Show Advanced Settings and select settings accordingly based on your needs.
- Configuring Attribute is not needed until the user sync is required. In that case, we have to configure the necessary attributes required by Liferay to import the user from IdP to SP.
- Leave the remaining settings as is and then click Next.
- In Feedback, select the second checkbox for the option Are you a customer or partner and then click Finish.
- By clicking Finish, the Service Provider (Liferay) configuration on the IdPs end (Okta) is successfully completed. Now we need to take the IdP’s Entity ID and Metadata to configure at SP’s end. To get the same, navigate to Application and click on the application (Liferay) we have created and navigate to Sign-On option.
- Click on View Setup instructions to download the metadata and to see the Entity ID.
- Identity Provider Issuer is the Entity ID and copy the metadata and save it as metadata.xml in order to upload into the Liferay Identity Provider connections. With this step application creation is complete.
Step 3 - User Creation in Okta
- Go to Directory > People > and click on Add person
- Once you enter the details, the respective email address will be notified for account creation activation.
- Clicking Activate Okta Account will create an account. Once the account is successfully created, we have to assign the respective user to the application (Liferay) which we have created inside Okta.
- To do the same, clicking on the respective user and clicking on Assign Application will help to assign the user to the respective application.
Step 4 - Liferay Configuration
- Start a vanilla Liferay DXP 7.3 bundle
- Go to Control Panel > Security > SAML Admin > General and set the SAML Role to Service Provider, and Entity ID to liferaysp.
- Create certificate.
- In Service Provider tab, keep the default settings.
- In Identity Provider Connection tab, set the following: (Remember to upload Okta’s metadata file)
- Go back to the General tab and enable the Service Provider.
- Add Sign-In portlet to home page (In case the SSO is not working, administrator can sign into portal bypassing SSO).
- Open a new browser and click Sign-In on the top-right which will redirect user to Okta sign-in page.
- Fill in the username and password.
- Users will be redirected back to Liferay home page and automatically sign-in.
Google OpenID Connect
Step 1 - Register Liferay DXP as an OAuth 2.0 Client in Google APIs
- Go to https://console.developers.google.com
- If no project exists, create a project.
- Refer to documentations from https://developers.google.com/identity/protocols/oauth2/web-server#creatingcred. For example:
- Click Create credentials > OAuth client ID.
- Specify Authorized redirect URIs for your application: https://www.sp.com:8443/c/portal/login/openidconnect
- Obtain the OAuth credentials (client_id and client_secret) generated by the Google platform.
Step 2 - Liferay Configuration
- Configuring an OpenID Connect Provider Connection:
- Go to Control Panel > Configuration > System Settings > Security > SSO and select OpenID Connect Provider under the System Scope and follow these steps:
- Add the provider by clicking the Add button.
- Use the information you received from the provider to fill out the form:
- Provider Name: This name appears in the Sign-In Portlet when users use OpenID Connect to login.
- OpenID Client ID: Provide the OAuth 2.0 Client ID you received from your provider.
- OpenID Connect Client Secret: Provide the OAuth 2.0 Client Secret you received from your provider.
- Discovery Endpoint: The rest of the URLs are obtained through this end-point. It's coming from your OpenID Connect Provider. For example:
https://accounts.google.com/.well-known/openid-configuration
- Go to Control Panel > Configuration > System Settings > Security > SSO and select OpenID Connect Provider under the System Scope and follow these steps:
- Enable OpenID Connect authentication on DXP
- Go to Control Panel > Configuration > System Settings > Security > SSO and select OpenID Connect under Virtual Instance Scope.
- Click the Enabled check box, and then click Save.
Note: You can also enable OpenID Connect authentication for the given virtual instance through the Control Panel → Configuration → Instance Settings → OpenID Connect tab.
- Access your portal (for example https://www.sp.com:8443)
- On the Sign-in portlet of the home page, click on the OpenID Connect link
- The default Google OIDC is in the list
- Click on the Sign-in button: this will take you to the Google Sign-in page
- Enter your credentials as usual
- You should be redirected back to the home page after successful login
Suggested Custom Code
Challenges
- Requesting private pages as guest always results in a SAML login
- Previously OIDC authenticated users (for example with expired sessions) will go via SAML login
- More generally, any request to /c/portal/login will go via SAML
- Rendering the login portlet when SAML is enabled requires some modifications.
Solution
Implementcom.liferay.saml.runtime.servlet.profile.SamlSpIdpConnectionsProfile#isEnabled
in a @Component. This is invoked whenever the LoginAction (/c/portal/login) is called, and it is provided with the HttpServletRequest object. It will be invoked once for each configured SAML IDP connection (also provided). If all invocations return false, then the normal login portal will render. So long as you've enabled that on the SAML Admin "Service Provider" tab.
This might be sufficient if the SAML or not-SAML decision is based on staff or not-staff. Because staff requests are likely to be coming from a known subnet. Or alternatively the fronting webserver might be able to tag the HTTP request somehow (header for example).
If more per-user control is needed, then a good approach might be to channel the potential SAML logins via the login portlet also. To achieve that com.liferay.saml.runtime.servlet.profile.SamlSpIdpConnectionsProfile#isEnabled
could return false whenever a special "useSAML" (arbitrarily named) HTTP request parameter is not present.
This will then cause the login portlet to always render, and you could then register a DynamicInclude to add a "SAML" link similarly to how OpenId Connect does it. That link would need to be to /c/portal/login?useSAML . When clicked, it would cause a redirection to the SAML IdP, or present the user with a SAML IdP selection, when multiple are available.
Logout also works fine, because it checks for an active SAML SP session prior to requesting logout from any SAML IdP.