Quick Start Guide to SAML on Liferay Portal 6.1 EE GA2

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.

SAML (Security Assertion Markup Language) is an XML-based open standard data format for exchanging authentication and authorization data between identity providers and service providers. It was developed by OASIS in 2001 (SAML 1.0) with the latest update to the standard coming in 2005 (SAML 2.0).

From a Liferay perspective, SAML 2.0 is available as an EE plugin. The plugin supports two operation modes: identity provider and service provider. The plugin is built on OpenSAML, is platform neutral, and is supported by many Saas applications. For credentials, a java keystore is used.

Affected Products

Liferay Portal 6.1 EE GA2

SAML Use Case #1 - Quick Start SAML Integration with Salesforce.com - [Liferay as IdP and SFDC as SP]



I. Set up SAML

1. Create a keystore for the Idp
Create a keystore if you don't already have one. In your bundles/data folder, run:
keytool -genkeypair -alias [name of the key] -keyalg RSA -keysize 2048 -keypass [password to the key] -storepass [password to the key store] -keystore data/keystore.jks
Answer below questions as prompted:
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=xxxx, OU=xxxx, O=xxxx, L=xxxx, ST=xxxx, C=xxxx?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
Re-enter new password:
After the key is generated it will show up as below file in your data folder under $Liferay_Home
2. Export the certificate for salesforce.com:
keytool -export -alias [name of the key] -file liferaysamlidpdemo.crt -keystore keystore.jks
This will require the password to the keystore you set up in step 1
After you successfully export the certificate, you will see the below file in the data folder:
II. Set up account in salesforce.com
1. Create an account on http://www.salesforce.com
2. Go To Setup-> Security Controls-> Single Sign On Settings
3. Enable SAML Version 2
4. Add new SAML Single Sign-On setting
5. Add in configuration as screenshot and save the setting
6. Download Metadata XML file salesforce-meta.xml from salesforce and save it to $liferay_home/data
III. Portal-ext.properties
Add below SAML properties in portal-ext.properties file and save the file.
saml.keystore.password=[Password you set for your keystore]
saml.keystore.credential.password[liferaysamlidpdemo]= [Password you set for your keystore]
NOTE: Some of the items in the properties need to be updated according to your setting.
IV. Portal Configuration
1. Download SAML 2.0 Provider EE Portlet from Marketplace.
2. Boot up Liferay 6.2 EE bundle.
3. Deploy the SAML 2.0 Provider EE Portlet.
4. Reboot Liferay Portal
5. Login as Administrator and perform below in Liferay portal:
6.1. Create a user that has same user name as the account signed up in salesforce.com from step 2.
6.2. Add a page to the site with below information:
Name: Salesforce
Type: Link to URL
URL: /c/portal/saml/sso?entityId=https://saml.salesforce.com
9. Sign in as the user created in step 6.1
10. Click on the page created in step 6.2
If everything is configured correctly, after the user click on the created page in step 8.2, the user to will be directed to salesforce.com without having to re-authenticate.


SAML Use Case #2 - Liferay as IdP to connect to two SPs

Most of the properties are configurable per SP. (Like ones mentioned for salesforce) More SPs can be added to the metadata paths property by separation with a comma (,). Filesystem paths or URLs may also be used.


SAML Use Case #3 - Two Instances of Liferay - One as IdP - Other as SP

This use case details how to setup two Liferay instances, with one being set up as IdP and the other being set up as SP. It is not currently available to setup one instance of Liferay to act as both IdP and SP.

1. Configure the first instance as an IdP (see use case #1 for an example.)

2. Configure the second instance as an SP:

Here is a sample configuration for setting up the 2nd instance as SP:

# Keystore
#Service Provider


SAML Use Case #4 - Configure SSO id with Liferay user fields other than email address

1. For this use case, we will be setting up the email address as the id for Salesforce and screenName as the id for Google App.

This is performed with SP specific settings, such as:

2. Set the saml.idp.metadata.name.id.attribute property to set what is used for the nameid.

This can be any User attribute and even expando values if prefixed with expando:

3. After creating a Custom Field with expando, you can access it like this:

The emailAddress is the default User attribute if nothing is specified.

4. Assuming the configuration is for:

Google Apps

entityid is google.com

using screenName for id

The resulting configuration would be:

Additional Information

1. What if an IdP does not support metadata downloading? Does Liferay SP support installing a certificate (similar to Salesforce)?

SAML Metadata XML must be provided. It can be provided either through url or file. If the IdP does not support SAML metadata, then the XML file must be manually created.

2. What changes do I need in order to automatically provision users, when I SSO to Salesforce? I have already configured Salesforce from the following link: https://login.salesforce.com/help/doc/en/sso_saml.htm

At this moment, we do not have any reference configurations available. Testing for automatic provisioning has only occurred via Liferay SAML SP.

To provision with Liferay SAML SP, please add the following lines:

The liferaysamlspdemo is the entity id of the SP.

3. When using Liferay as an IdP, can I add a Liferay expando attribute value as a customized SAML assertion attribute value? Is it possible to add a SAML assertion attribute “Customer Type” and when this subscriber is provisioned to SP, an expando value to the “Customer Type” attribute can be assigned?

Yes. This method is viable.

4. I'm getting a NullPointerException in the logs and an error on the page when trying to access metadata

See the resolution here.


0 人中有 0 人觉得有帮助