Implementing Single sign on inLiferay using SAML

SSO implementation in Liferay 6.1 using SAML 2.0

The following sections describes a step by step approach of implementing single sign on in Liferay using SAML 2.0.

Introduction:

SAML is a set of standards for communicating information on user authentication, entitlement, and attributes - SAML enables sharing of information about who a user is, what his set of attributes are, and gives you a way to grant/deny access to something or even request authentication. It’s an XML-based framework for exchanging security information.

Liferay 6.1 Enterprise Edition (EE) now comes with SAML Support. In Liferay, SAML needs to be configured with one Liferay instance set up as an Identity Provider (IDP) and another Liferay instance as Service Provider
The below figure illustrate the use case that is considered in this post for configuring one instance of Liferay as the Identity Provider (IdP) and another Liferay instance as Service Provider (SP)

Following are the steps need to be followed to configure SAML in Liferay

Setting up Liferay 6.1 EE as an Identity Provider

1. Create a folder called SAML-DEMO and two sub folders idp-bundle and sp-bundle.

2. IdP instance is placed under idp-bundle folder and SP instance under sp-bundle folder.

3. Extract the Liferay 6.1.10 EE ga1 tomcat bundle to idp-bundle

4. IdP instance will be running on port 8080.

For signing the SAML messages IdP needs to have private and public keys.

5. Create keystore with keytool that is available with JDK. The keystore is created in idp-bundle/data/keystore.jks

C:\Program Files\Java\jre6\bin>keytool -genkeypair -alias samlidpdemo -keyalg RSA -keysize 2048 -keypass password -storepass password -keystore data/keystore.jks

Note: After executing the above command it will prompt for following information and it needs to be provided while creating the keystore. In this case I have created the keystore named “keystore” in the location idp-bundle/data/keystore.jks, which is a default location for SAML message for finding keys while signing the message.

6. Add the SAML configuration to portal-ext.properties

saml.enabled=true

saml.role=idp

saml.entity.id=samlidpdemo

saml.require.ssl=false

saml.sign.metadata=true

saml.idp.authn.request.signature.required=true

saml.keystore.path=${liferay.home}/data/keystore.jks

saml.keystore.password=password

saml.keystore.type=jks

saml.keystore.credential.password[samlidpdemo]=password

Here entity id is the alias of the keystore that you created in the previous step.

7. Deploy the SAML plugin using hot deploy. Copy into idp-bundle/deploy folder

8. Start the Liferay server and look for the saml-portlet to be deployed and available.

9. Open http://localhost:8080/c/portal/saml/metadata. If you have configured everything correctly you should see the IdP metadata similar to this.

Setting up Liferay 6.1 EE as a Service Provider

1. Extract the Liferay 6.1.10 EE ga1 tomcat bundle to sp-bundle

2. If two Liferay instances are running on the same machine, port number needs to be changed of the     SP server. To do that, the following steps need to be performed

    a. Go to <<Tomcat Installation Folder>>/conf and locate server.xml
 
    b. Change server, HTTP and AJP default ports

        i. <Server port="8005" shutdown="SHUTDOWN"> to <Server port="8006"                                               shutdown="SHUTDOWN">

        ii. <Connector port="8080" protocol="HTTP/1.1" to  <Connector port="8081"                                            protocol="HTTP/1.1"

        iii.<Connector port="8009" protocol="AJP/1.3" to <Connector port="8010" protocol="AJP/1.3"

3. Create the keystore using java key tool along with the public and private keys.

C:\Program Files\Java\jre6\bin>keytool -genkeypair -alias samlspdemo -keyalg RSA -keysize 2048 -keypass password -keystore data/keystoresp.jks

4. Add the following SAML SP properties to the portal-ext.properties

saml.enabled=true
saml.role=sp 
saml.entity.id=samlspdemo 
saml.metadata.paths=http://localhost:8080/c/portal/saml/metadata
# # Keystore #
saml.keystore.type=jks 
saml.keystore.path=${liferay.home}/data/keystoresp.jks 
saml.keystore.password=password 
saml.keystore.credential.password[samlspdemo]=password 
# # Service Provider #
saml.sp.default.idp.entity.id=samlidpdemo 
saml.sp.sign.authn.request=true 
saml.sp.assertion.signature.required=false 
saml.sp.clock.skew=3000 
saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive 
saml.sp.user.attribute.mappings=

5. Deploy the SAML plugin using hot deploy. Copy into sp-bundle/deploy folder

6. Start the Liferay server and look for the saml-portlet to be deployed and available.

7. Open the SAML SP metadata by entering the url http://localhost:8081/c/portal/saml/metadata and you should see the following XML, which means that the SP is configured correctly. Here is the SP metadata.xml that is generated at Service Provider instance.

8. Copy it to a notepad and save it as local-sp-metadata.xml in the IdP instance under data/saml

9. Now modified the IdP instance portal-ext.properties to let it know about the SP. So added the below properties
saml.metadata.paths=${liferay.home}/data/saml/local-sp-metadata.xml
saml.idp.enabled=true
saml.idp.authn.request.signature.required=true
saml.idp.entity.id=samlidpdemo
saml.idp.session.timeout=3600
saml.idp.session.max.age=0
saml.idp.assertion.lifetime=36000
saml.idp.metadata.attributes.enabled=true
saml.idp.metadata.attributes.enabled[samlspdemo]=true
saml.idp.metadata.attribute.names[samlspdemo]=screenName,firstName,lastName,emailAddress,uuid
saml.idp.metadata.session.keepalive.url[samlspdemo]=http://localhost:8081/c/portal/saml/sp/keepalive

10. Restart both IdP and SP instances.

11. Now go to SP Instance http://localhost:8081 and click on the Sign In at the top right corner. You should be directed to idP instance http://localhost:8080 for authentication.

12. Enter your credentials (in the IdP instance) it will direct to the SP Instance.