SSO implementation in Liferay 6.1 using SAML 2.0
The following sections describes a step by step approach of implementing single sign on in Liferay using SAML 2.0.Introduction:
SAML is a set of standards for communicating information on user authentication, entitlement, and attributes - SAML enables sharing of information about who a user is, what his set of attributes are, and gives you a way to grant/deny access to something or even request authentication. It’s an XML-based framework for exchanging security information.Liferay 6.1 Enterprise Edition (EE) now comes with SAML Support. In Liferay, SAML needs to be configured with one Liferay instance set up as an Identity Provider (IDP) and another Liferay instance as Service Provider
The below figure illustrate the use case that is considered in this post for configuring one instance of Liferay as the Identity Provider (IdP) and another Liferay instance as Service Provider (SP)
Setting up Liferay 6.1 EE as an Identity Provider
1. Create a folder called SAML-DEMO and two sub folders idp-bundle and sp-bundle.
2. IdP instance is placed under idp-bundle folder and SP instance under sp-bundle folder.
3. Extract the Liferay 6.1.10 EE ga1 tomcat bundle to idp-bundle
4. IdP instance will be running on port 8080.
For signing the SAML messages IdP needs to have private and public keys.
5. Create keystore with keytool that is available with JDK. The keystore is created in idp-bundle/data/keystore.jks
C:\Program Files\Java\jre6\bin>keytool -genkeypair -alias samlidpdemo -keyalg RSA -keysize 2048 -keypass password -storepass password -keystore data/keystore.jks
Note: After executing the above command it will prompt for following information and it needs to be provided while creating the keystore. In this case I have created the keystore named “keystore” in the location idp-bundle/data/keystore.jks, which is a default location for SAML message for finding keys while signing the message.
6. Add the SAML configuration to portal-ext.properties
saml.enabled=true
saml.role=idp
saml.entity.id=samlidpdemo
saml.require.ssl=false
saml.sign.metadata=true
saml.idp.authn.request.signature.required=true
saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=password
saml.keystore.type=jks
saml.keystore.credential.password[samlidpdemo]=password
Here entity id is the alias of the keystore that you created in the previous step.
7. Deploy the SAML plugin using hot deploy. Copy into idp-bundle/deploy folder
8. Start the Liferay server and look for the saml-portlet to be deployed and available.
9. Open http://localhost:8080/c/portal/saml/metadata. If you have configured everything correctly you should see the IdP metadata similar to this.
Setting up Liferay 6.1 EE as a Service Provider
2. If two Liferay instances are running on the same machine, port number needs to be changed of the SP server. To do that, the following steps need to be performed
a. Go to <<Tomcat Installation Folder>>/conf and locate server.xml
b. Change server, HTTP and AJP default ports
i. <Server port="8005" shutdown="SHUTDOWN"> to <Server port="8006" shutdown="SHUTDOWN">
ii. <Connector port="8080" protocol="HTTP/1.1" to <Connector port="8081" protocol="HTTP/1.1"
iii.<Connector port="8009" protocol="AJP/1.3" to <Connector port="8010" protocol="AJP/1.3"
3. Create the keystore using java key tool along with the public and private keys.
C:\Program Files\Java\jre6\bin>keytool -genkeypair -alias samlspdemo -keyalg RSA -keysize 2048 -keypass password -keystore data/keystoresp.jks
saml.enabled=true
saml.role=sp
saml.entity.id=samlspdemo
saml.metadata.paths=http://localhost:8080/c/portal/saml/metadata
# # Keystore #
saml.keystore.type=jks
saml.keystore.path=${liferay.home}/data/keystoresp.jks
saml.keystore.password=password
saml.keystore.credential.password[samlspdemo]=password
# # Service Provider #
saml.sp.default.idp.entity.id=samlidpdemo
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.session.keepalive.url=http://localhost:8080/c/portal/saml/idp/keepalive
saml.sp.user.attribute.mappings=
5. Deploy the SAML plugin using hot deploy. Copy into sp-bundle/deploy folder
6. Start the Liferay server and look for the saml-portlet to be deployed and available.
7. Open the SAML SP metadata by entering the url http://localhost:8081/c/portal/saml/metadata and you should see the following XML, which means that the SP is configured correctly. Here is the SP metadata.xml that is generated at Service Provider instance.
8. Copy it to a notepad and save it as local-sp-metadata.xml in the IdP instance under data/saml
9. Now modified the IdP instance portal-ext.properties to let it know about the SP. So added the below properties
saml.metadata.paths=${liferay.home}/data/saml/local-sp-metadata.xml
saml.idp.enabled=true
saml.idp.authn.request.signature.required=true
saml.idp.entity.id=samlidpdemo
saml.idp.session.timeout=3600
saml.idp.session.max.age=0
saml.idp.assertion.lifetime=36000
saml.idp.metadata.attributes.enabled=true
saml.idp.metadata.attributes.enabled[samlspdemo]=true
saml.idp.metadata.attribute.names[samlspdemo]=screenName,firstName,lastName,emailAddress,uuid
saml.idp.metadata.session.keepalive.url[samlspdemo]=http://localhost:8081/c/portal/saml/sp/keepalive
10. Restart both IdP and SP instances.
11. Now go to SP Instance http://localhost:8081 and click on the Sign In at the top right corner. You should be directed to idP instance http://localhost:8080 for authentication.
12. Enter your credentials (in the IdP instance) it will direct to the SP Instance.
brillant piece of information, I had come to know about your web-page from my friend hardkik, chennai,i have read atleast 9 posts of yours by now, and let me tell you, your webpage gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a million once again, Regards, liferay training in hyderabad
ReplyDeleteThanks for your comment
DeleteGood article on single sign on Liferay with SAMl,Keep writing....
ReplyDelete