fb
WSO2 Tutorial 4 min

Creating Single Sign On between Liferay and WSO2 Identity Server

Thijs Volders
Thijs Volders
Strategic Technology Officer
19 feb no 1
Scroll

So how to setup your Liferay server with an SSO connection to the WSO2 Identity Server (WSO2 IS). First have look at the setup below, and from there on I will explain step by step how to do this.

WSO2 identity server setup for SSO connection

To set up Single Sign On between Liferay and WSO2 we need the following software in place:

WSO2 Identity Server 5.0.0 (or higher)
• Liferay EE 6.x (or higher)

Configure WSO2 Identity Server

On the Identity Server we first need to set our IDP name, click on “Resident Identity Provider” above the list of Identity Providers.

SSO Liferay and WSO2 Identity Server image 2

Open “SAML2 Web SSO Configuration” and give the default IDP a name. We used the name wso2idp.

19_feb_no_3.png

We are now done configuring our default IDP. Liferay needs to have a screenname, which we will fill with the username. We need to configure a small “trick” for this in our WSO2 IS. Go to claim management and edit the http://wso2.org/claims.

Now edit the “IM” claim and set the Mapped Attribute to “userName” or to “cn” if you are using an Active Directory as user store.

Setting claim settings in WSO2 Identity Server

We are now ready to make a Service Provider for Liferay. Click on “Add” in the Service Providers page. We will create a Service Provider with the name “liferay”.

SSO Liferay and WSO2 Identity Server image 5

After clicking on Register open the Service Provider and go to the “Claim Configuration” tab. We will add the claims here that will be send in the SAML2 response.

Add the following claims:

• http://wso2.org/claims/IM
• http://wso2.org/claims/Lastname
• http://wso2.org/claims/Emailadres
• http://wso2.org/claims/givename

SSO Liferay and WSO2 Identity Server

Update the Service Provider and open it again. Go to the “Inbound Authentication Configuration” tab and then the “SAML2 Web SSO Configuration” tab. We will create a new SAML2 SSO configuration here.

SSO Liferay and WSO2 Identity Server image 7

We need to add the following values in the SAML2 SSO configuration screen:

Assertion Consumer URL: This is the URL from liferay, http://:/c/portal/saml/acs
NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Enable Response Signing: Checked
Enable Assertion Signing: Checked
Enable Siganture validation: Checked
Certificate Alias: Select the certificate from the WSO2 keystore. In this example we use the default key “wso2carbon”
Enable Single Logout: Checked
Enable Attribute Profile: Checked

SSO Liferay and WSO2 Identity Server image 8

Click on Update. WSO2 Identity server is now ready to receive SAML2 SSO calls from our Liferay instance.

Configure Liferay

Configuring Liferay is a bit harder then our configuration on the WSO2 Identity Server. Especially there is not much documentation available on the SAML2 Liferay plugin. The plugin has some problems with the default HSQL database. In this tutorial I used a MySQL database under Liferay.

We have to start off by downloading the SAML2 Liferay plugin: http://www.liferay.com/marketplace/-/mp/application/15188711

Add this plugin to your liferay deploy folder, the plugin will be automatically deployed. After this we have to create a portal-ext.properties (if not already exists) and add the following configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
company.security.auth.type=screenName
saml.enabled=true
saml.role=sp
saml.entity.id=liferay
saml.metadata.paths=${liferay.home}/data/metadata.xml
# # Keystore #
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystoresp.jks
saml.keystore.password=liferay
saml.keystore.credential.password[liferay]=liferay
# # Service Provider #
saml.sp.name.id.format=persistent
saml.sp.default.idp.entity.id=wso2idp
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.session.keepalive.url=https://localhost:9443/samlsso

Within the data folder from Liferay we need to create a metadata.xml file. At the moment WSO2 has no generator yet for this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    entityID="wso2idp"
    validUntil="2023-09-23T06:57:15.396Z">
   <md:IDPSSODescriptor protocolSupportEnumeration="urn:
oasis:names:tc:SAML:2.0:protocol">
       <md:KeyDescriptor use="signing">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343
gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
     <md:SingleLogoutService
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
           Location="https://localhost:9443/samlsso"
           ResponseLocation="https://localhost:9443/samlsso"/>
     <md:SingleSignOnService
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
           Location="https://localhost:9443/samlsso"/>
     <md:SingleSignOnService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            Location="https://localhost:9443/samlsso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Note that this is a local setup. Change localhost to the server IP.

After this create a new keystore in the data folder from liferay named “keystoresp.jks”. Export the keypair from the WSO2 keystore and import it in our new keystore under the name “liferay”. Make the password “liferay” also. Save the keystore and restart Liferay.

SSO Liferay and WSO2 Identity Server image 9

That’s it, you’re done.

Full API lifecycle Management Selection Guide

WHITEPAPER

smartmockups l0qqucke