So how to setup your Liferay server with an SSO connection to the WSO2 Identity Server (WSO2 IS). First have look at the setup below, and from there on I will explain step by step how to do this.
To set up Single Sign On between Liferay and WSO2 we need the following software in place:
• WSO2 Identity Server 5.0.0 (or higher)
• Liferay EE 6.x (or higher)
Configure WSO2 Identity Server
On the Identity Server we first need to set our IDP name, click on “Resident Identity Provider” above the list of Identity Providers.
Open “SAML2 Web SSO Configuration” and give the default IDP a name. We used the name wso2idp.
We are now done configuring our default IDP. Liferay needs to have a screenname, which we will fill with the username. We need to configure a small “trick” for this in our WSO2 IS. Go to claim management and edit the http://wso2.org/claims.
Now edit the “IM” claim and set the Mapped Attribute to “userName” or to “cn” if you are using an Active Directory as user store.
We are now ready to make a Service Provider for Liferay. Click on “Add” in the Service Providers page. We will create a Service Provider with the name “liferay”.
After clicking on Register open the Service Provider and go to the “Claim Configuration” tab. We will add the claims here that will be send in the SAML2 response.
Add the following claims:
• http://wso2.org/claims/IM
• http://wso2.org/claims/Lastname
• http://wso2.org/claims/Emailadres
• http://wso2.org/claims/givename
Update the Service Provider and open it again. Go to the “Inbound Authentication Configuration” tab and then the “SAML2 Web SSO Configuration” tab. We will create a new SAML2 SSO configuration here.
We need to add the following values in the SAML2 SSO configuration screen:
Assertion Consumer URL: This is the URL from liferay, http://:/c/portal/saml/acs
NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Enable Response Signing: Checked
Enable Assertion Signing: Checked
Enable Siganture validation: Checked
Certificate Alias: Select the certificate from the WSO2 keystore. In this example we use the default key “wso2carbon”
Enable Single Logout: Checked
Enable Attribute Profile: Checked
Click on Update. WSO2 Identity server is now ready to receive SAML2 SSO calls from our Liferay instance.
Configure Liferay
Configuring Liferay is a bit harder then our configuration on the WSO2 Identity Server. Especially there is not much documentation available on the SAML2 Liferay plugin. The plugin has some problems with the default HSQL database. In this tutorial I used a MySQL database under Liferay.
We have to start off by downloading the SAML2 Liferay plugin: http://www.liferay.com/marketplace/-/mp/application/15188711
Add this plugin to your liferay deploy folder, the plugin will be automatically deployed. After this we have to create a portal-ext.properties (if not already exists) and add the following configuration:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
company.security.auth.type=screenName saml.enabled=true saml.role=sp saml.entity.id=liferay saml.metadata.paths=${liferay.home}/data/metadata.xml # # Keystore # saml.keystore.type=jks saml.keystore.path=${liferay.home}/data/keystoresp.jks saml.keystore.password=liferay saml.keystore.credential.password[liferay]=liferay # # Service Provider # saml.sp.name.id.format=persistent saml.sp.default.idp.entity.id=wso2idp saml.sp.sign.authn.request=true saml.sp.assertion.signature.required=false saml.sp.clock.skew=3000 saml.sp.session.keepalive.url=https://localhost:9443/samlsso |
Within the data folder from Liferay we need to create a metadata.xml file. At the moment WSO2 has no generator yet for this.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"     entityID="wso2idp"     validUntil="2023-09-23T06:57:15.396Z">    <md:IDPSSODescriptor protocolSupportEnumeration="urn:        <md:KeyDescriptor use="signing">          <ds:KeyInfo>             <ds:X509Data>                <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343 UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe 0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>             </ds:X509Data>          </ds:KeyInfo>       </md:KeyDescriptor>      <md:SingleLogoutService            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"            Location="https://localhost:9443/samlsso"            ResponseLocation="https://localhost:9443/samlsso"/>      <md:SingleSignOnService            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"            Location="https://localhost:9443/samlsso"/>      <md:SingleSignOnService             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"             Location="https://localhost:9443/samlsso"/> </md:IDPSSODescriptor> </md:EntityDescriptor> |
Note that this is a local setup. Change localhost to the server IP.
After this create a new keystore in the data folder from liferay named “keystoresp.jks”. Export the keypair from the WSO2 keystore and import it in our new keystore under the name “liferay”. Make the password “liferay” also. Save the keystore and restart Liferay.
That’s it, you’re done.