Setup Guide for Liferay and WSO2 Identity Server SAML Integration

This guide shows you how to integrate Liferay Portal with WSO2's Identity Server. These are the basic settings with the goal of setting the user on the right track.


Install, Start and Setup WSO2

Download the binary package here: WSO2 Identity Server.

You will need to register on the website in order to download the product. In this guide, version 4.6.0 is used. Install it following the steps in the installation guide: WSO2 Documentation-Installing the Product.

  1. Start the Server: WSO2 Documentation-Running the Product.
  2. By default, reach the server's management console here: https://localhost:9443/carbon
  3. Log in with admin (default credentials are admin/admin)
  4. Under the SAML SSO tab, register a new service provider and setup according to the screenshot:


    1. Issuer: liferaysamlspdemo
    2. Assertion Consumer URL: http://localhost:8080/c/portal/saml/acs
    3. NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    4. Use fully qualified username in the NameID: unchecked
    5. Define Claim Uri for NameID: checked, select:
    6. Enable Response Signing: checked
    7. Enable Assertion Signing: checked
    8. Enable Signature Validation in Authentication Requests and Logout Requests: unchecked
    9. Enable Single Logout: unchecked
    10. Enable Attribute Profile: checked
    11. Added claims:
    12. Include Attributes in the Response Always: checked
      Note: Issue with screen names. Liferay Portal needs an attribute called screenName for users to be created in the portal. This is not provided in WSO2 by default so substitute it with "im"
  5. Save your configuration by clicking the Register button.
  6. Under the Configure tab (upside down on the very left side) go to Users and Roles section > Roles
  7. Click Permissions for Internal/everyone, then allow users to login by marking the Login checkbox.
  8. Click the Update button at the bottom to save.
  9. Still under the Users and Roles section, but in this case in Users, add a test user with internal/everyone role.
  10. Click Add new User at Users and Roles/Users section.
    1. Domain: PRIMARY
    2. User Name: user1
    3. Define password there, click Next
  11. Select Internal/everyone role, click Finish
  12. After adding the user click User Profile and fill in the required attributes:
    1. First name, Last name
    2. Email, IM
  13. Click Update to save changes.

Enable SAML Service in Liferay Portal

You will need to modify some details; see them below.

  1. Enable SAML service according to this article: Setting Up Liferay Portal 6.1 EE as an SP.
  2. The genkey command will generate a file called keystore.jks.
  3. Copy this into the ${liferay_home}/data/ directory.
  4. In the file you will need to change the following properties to point to the WSO2 IdP:
    #Metadata for WSO2
    Note: You will download this in the next step.
  5. In this version of WSO2 IdP, download the metadata.xml file from: WSO2-JIRA Issue-Identity-1202
  6. Copy it to the directory given below:
    1. ${liferay.home}/data/
  7. Start Liferay Portal and deploy the SAML plugin.
  8. Log out from the portal and log in with the Sign in link on the top right corner.

You should be redirected to the SAML login screen to authenticate. Use the same credentials you gave earlier for the test user.

Additional Information

In the above guide, we are using WSO2 IS 4.6.0. A drawback to this version is that the single logout does not work as they don't meet the SAML specification's found in section According to WSO2-JIRA Issue-Identity-1998, the issue should be resolved in 5.0

Starting from SAML 6.1.20+ plugin, it is possible to configure Liferay Portal as an SP in Control Panel.

0 人中有 0 人觉得有帮助