So how to setup your Liferay server with an SSO connection to the WSO2 Identity Server (WSO2 IS). First have look at the setup below, and from there on I will explain step by step how to do this.
To set up Single Sign On between Liferay and WSO2 we need the following software in place:
• WSO2 Identity Server 5.0.0 (or higher)
• Liferay EE 6.x (or higher)
Configure WSO2 Identity Server
On the Identity Server we first need to set our IDP name, click on “Resident Identity Provider” above the list of Identity Providers.
Open “SAML2 Web SSO Configuration” and give the default IDP a name. We used the name wso2idp.
We are now done configuring our default IDP. Liferay needs to have a screenname, which we will fill with the username. We need to configure a small “trick” for this in our WSO2 IS. Go to claim management and edit the http://wso2.org/claims.
Now edit the “IM” claim and set the Mapped Attribute to “userName” or to “cn” if you are using an Active Directory as user store.
We are now ready to make a Service Provider for Liferay. Click on “Add” in the Service Providers page. We will create a Service Provider with the name “liferay”.
After clicking on Register open the Service Provider and go to the “Claim Configuration” tab. We will add the claims here that will be send in the SAML2 response.
Add the following claims:
• http://wso2.org/claims/IM
• http://wso2.org/claims/Lastname
• http://wso2.org/claims/Emailadres
• http://wso2.org/claims/givename
Update the Service Provider and open it again. Go to the “Inbound Authentication Configuration” tab and then the “SAML2 Web SSO Configuration” tab. We will create a new SAML2 SSO configuration here.
We need to add the following values in the SAML2 SSO configuration screen:
Assertion Consumer URL: This is the URL from liferay, http://:/c/portal/saml/acs
NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Enable Response Signing: Checked
Enable Assertion Signing: Checked
Enable Siganture validation: Checked
Certificate Alias: Select the certificate from the WSO2 keystore. In this example we use the default key “wso2carbon”
Enable Single Logout: Checked
Enable Attribute Profile: Checked
Click on Update. WSO2 Identity server is now ready to receive SAML2 SSO calls from our Liferay instance.
Configure Liferay
Configuring Liferay is a bit harder then our configuration on the WSO2 Identity Server. Especially there is not much documentation available on the SAML2 Liferay plugin. The plugin has some problems with the default HSQL database. In this tutorial I used a MySQL database under Liferay.
We have to start off by downloading the SAML2 Liferay plugin: http://www.liferay.com/marketplace/-/mp/application/15188711
Add this plugin to your liferay deploy folder, the plugin will be automatically deployed. After this we have to create a portal-ext.properties (if not already exists) and add the following configuration:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
company.security.auth.type=screenNamesaml.enabled=truesaml.role=spsaml.entity.id=liferaysaml.metadata.paths=${liferay.home}/data/metadata.xml# # Keystore #saml.keystore.type=jkssaml.keystore.path=${liferay.home}/data/keystoresp.jkssaml.keystore.password=liferaysaml.keystore.credential.password[liferay]=liferay# # Service Provider #saml.sp.name.id.format=persistentsaml.sp.default.idp.entity.id=wso2idpsaml.sp.sign.authn.request=truesaml.sp.assertion.signature.required=falsesaml.sp.clock.skew=3000saml.sp.session.keepalive.url=https://localhost:9443/samlsso |
Within the data folder from Liferay we need to create a metadata.xml file. At the moment WSO2 has no generator yet for this.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"    entityID="wso2idp"    validUntil="2023-09-23T06:57:15.396Z">   <md:IDPSSODescriptor protocolSupportEnumeration="urn:       <md:KeyDescriptor use="signing">         <ds:KeyInfo>            <ds:X509Data>               <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>            </ds:X509Data>         </ds:KeyInfo>      </md:KeyDescriptor>     <md:SingleLogoutService           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"           Location="https://localhost:9443/samlsso"           ResponseLocation="https://localhost:9443/samlsso"/>     <md:SingleSignOnService           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"           Location="https://localhost:9443/samlsso"/>     <md:SingleSignOnService            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"            Location="https://localhost:9443/samlsso"/></md:IDPSSODescriptor></md:EntityDescriptor> |
Note that this is a local setup. Change localhost to the server IP.
After this create a new keystore in the data folder from liferay named “keystoresp.jks”. Export the keypair from the WSO2 keystore and import it in our new keystore under the name “liferay”. Make the password “liferay” also. Save the keystore and restart Liferay.
That’s it, you’re done.
