This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.
From a Liferay perspective, SAML 2.0 is available as an EE plugin. The plugin supports two operation modes: identity provider and service provider. The plugin is built on OpenSAML, is platform neutral, and is supported by many Saas applications. For credentials, a java keystore is used.
Liferay Portal 6.1 EE GA2
SAML Use Case #1 - Quick Start SAML Integration with Salesforce.com - [Liferay as IdP and SFDC as SP]
I. Set up SAML
keytool -genkeypair -alias [name of the key] -keyalg RSA -keysize 2048 -keypass [password to the key] -storepass [password to the key store] -keystore data/keystore.jks
keytool -export -alias [name of the key] -file liferaysamlidpdemo.crt -keystore keystore.jks
SAML Use Case #2 - Liferay as IdP to connect to two SPs
Most of the properties are configurable per SP. (Like ones mentioned for salesforce) More SPs can be added to the metadata paths property by separation with a comma (,). Filesystem paths or URLs may also be used.
SAML Use Case #3 - Two Instances of Liferay - One as IdP - Other as SP
This use case details how to setup two Liferay instances, with one being set up as IdP and the other being set up as SP. It is not currently available to setup one instance of Liferay to act as both IdP and SP.
1. Configure the first instance as an IdP (see use case #1 for an example.)
2. Configure the second instance as an SP:
Here is a sample configuration for setting up the 2nd instance as SP:
SAML Use Case #4 - Configure SSO id with Liferay user fields other than email address
1. For this use case, we will be setting up the email address as the id for Salesforce and screenName as the id for Google App.
This is performed with SP specific settings, such as:
2. Set the saml.idp.metadata.name.id.attribute property to set what is used for the nameid.
This can be any User attribute and even expando values if prefixed with expando:
3. After creating a Custom Field with expando, you can access it like this:
The emailAddress is the default User attribute if nothing is specified.
4. Assuming the configuration is for:
entityid is google.com
using screenName for id
The resulting configuration would be:
1. What if an IdP does not support metadata downloading? Does Liferay SP support installing a certificate (similar to Salesforce)?
SAML Metadata XML must be provided. It can be provided either through url or file. If the IdP does not support SAML metadata, then the XML file must be manually created.
2. What changes do I need in order to automatically provision users, when I SSO to Salesforce? I have already configured Salesforce from the following link: https://login.salesforce.com/help/doc/en/sso_saml.htm
At this moment, we do not have any reference configurations available. Testing for automatic provisioning has only occurred via Liferay SAML SP.
To provision with Liferay SAML SP, please add the following lines:
The liferaysamlspdemo is the entity id of the SP.
3. When using Liferay as an IdP, can I add a Liferay expando attribute value as a customized SAML assertion attribute value? Is it possible to add a SAML assertion attribute “Customer Type” and when this subscriber is provisioned to SP, an expando value to the “Customer Type” attribute can be assigned?
Yes. This method is viable.
4. I'm getting a NullPointerException in the logs and an error on the page when trying to access metadata
See the resolution here.