This guide shows you how to integrate Liferay Portal with WSO2's Identity Server. These are the basic settings with the goal of setting the user on the right track.
Resolution
Install, Start and Setup WSO2
Download the binary package here: WSO2 Identity Server.
You will need to register on the website in order to download the product. In this guide, version 4.6.0 is used. Install it following the steps in the installation guide: WSO2 Documentation-Installing the Product.
- Start the Server: WSO2 Documentation-Running the Product.
- By default, reach the server's management console here: https://localhost:9443/carbon
- Log in with admin (default credentials are admin/admin)
- Under the SAML SSO tab, register a new service provider and setup according to the screenshot:
- Issuer: liferaysamlspdemo
- Assertion Consumer URL: http://localhost:8080/c/portal/saml/acs
- NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Use fully qualified username in the NameID: unchecked
- Define Claim Uri for NameID: checked, select: http://wso2.org/claims/emailaddress
- Enable Response Signing: checked
- Enable Assertion Signing: checked
- Enable Signature Validation in Authentication Requests and Logout Requests: unchecked
- Enable Single Logout: unchecked
- Enable Attribute Profile: checked
- Added claims:
- Include Attributes in the Response Always: checked
Note: Issue with screen names. Liferay Portal needs an attribute called screenName for users to be created in the portal. This is not provided in WSO2 by default so substitute it with "im"
- Save your configuration by clicking the Register button.
- Under the Configure tab (upside down on the very left side) go to Users and Roles section > Roles
- Click Permissions for Internal/everyone, then allow users to login by marking the Login checkbox.
- Click the Update button at the bottom to save.
- Still under the Users and Roles section, but in this case in Users, add a test user with internal/everyone role.
- Click Add new User at Users and Roles/Users section.
- Domain: PRIMARY
- User Name: user1
- Define password there, click Next
- Select Internal/everyone role, click Finish
- After adding the user click User Profile and fill in the required attributes:
- First name, Last name
- Email, IM
- Click Update to save changes.
Enable SAML Service in Liferay Portal
You will need to modify some details; see them below.
- Enable SAML service according to this article: Setting Up Liferay Portal 6.1 EE as an SP.
- The genkey command will generate a file called
keystore.jks. - Copy this into the
${liferay_home}/data/directory. - In the
portal-ext.propertiesfile you will need to change the following properties to point to the WSO2 IdP:#Metadata for WSO2 saml.metadata.paths=${liferay.home}/data/IS_metadata.xml saml.sp.default.idp.entity.id=https://localhost:9443/samlsso saml.sp.session.keepalive.url=https://localhost:9443/samlsso saml.sp.user.attribute.mappings=screenName=http://wso2.org/claims/im\nemailAddress=http://wso2.org/claims/emailaddress\nfirstName=http://wso2.org/claims/givenname\nlastName=http://wso2.org/claims/lastnameNote: You will download this in the next step. - In this version of WSO2 IdP, download the
metadata.xmlfile from: WSO2-JIRA Issue-Identity-1202 - Copy it to the directory given below:
${liferay.home}/data/
- Start Liferay Portal and deploy the SAML plugin.
- Log out from the portal and log in with the Sign in link on the top right corner.
You should be redirected to the SAML login screen to authenticate. Use the same credentials you gave earlier for the test user.
Additional Information
In the above guide, we are using WSO2 IS 4.6.0. A drawback to this version is that the single logout does not work as they don't meet the SAML specification's found in section 4.4.4.2. According to WSO2-JIRA Issue-Identity-1998, the issue should be resolved in 5.0
Starting from SAML 6.1.20+ plugin, it is possible to configure Liferay Portal as an SP in Control Panel.
- 6.1 EE users please refer to: Integrating Liferay Users into Your Enterprise
- 6.2 EE users please refer to: Integrating Existing Users into Liferay