Using SSO with DXP Cloud¶
Customers may use their SAML 2.0 compliant Single Sign-On Identity Providers to authenticate Users to the DXP Cloud platform. This document will detail the process to enable this integration.
Using SAML to execute SSO requires three agents: the Client, the Service Provider (SP), and the Identity Provider (IdP). When the client tries to connect to the Service Provider, the Service Provider will redirect the client to the Identity Provider. After the client is authenticated by the Identity Provider, the Identity Provider will grant the access to the client’s credentials to the Service Provider.
In this scenario, DXP Cloud functions as the Service Provider, the customer trying to log into DXP Cloud is the client, and the Identity Provider is an enterprise directory solution managed by the customer.
Enabling SSO for a DXP Cloud Project¶
To enable SSO for your DXP Cloud project the following steps need to be taken:
Provide Identity Provider Metadata to the DXP Cloud Team¶
Client who wish to enable SSO for their DXP Cloud project will need to provide their IdP system’s metadata which must include the following information:
|IdP Issuer||The name of the identity issuer; usually the
|IdP Single Sign-On URL||Request endpoint that will receive the SAML Authentication Request (example: http://adfs.customer.com/saml/sso)|
|IdP Signature Certificate||Public Key Certificate of the IdP to the SAML message and assertion signatures|
|IdP Single Sign-On HTTP Method (Request Binding)||The HTTP method supported by the customer’s Identity Provider to receive the Authentication Requests; the only valid answers are
|Sign Requests||Set to
|Request Signature Algorithm (RSA)||If the
Clients using Microsoft ADFS should pay attention to the following settings which are required to setup SSO using SAML:
|IdP Issuer URI||Located in the General tab's Federation Service identifier and has a default value of http://domain/adfs/services/trust|
|IdP Single Sign-On URL||Default setting is
|IdP Signing Certificate||A DER encoded binary X.509 certificate file|
Once the IdP metadata has been generated, open a ticket with the DXP Cloud team. IdP metadata can be transmitted in the form of either an XML file or a URL endpoint (https://localhost:8080/c/saml/metadata is a basic example).
DXP Cloud Team Imports Provided IdP Data and Provides Service Provider Metadata¶
The DXP Cloud team will then provide the following SP metadata values to the client:
|Assertion Consumer Service (ACS) URL||The SAML response received by DXP Cloud. This will always be an address server from https://auth.liferay.cloud|
|Audience URL||The URL Liferay Cloud used to access the customer’s Identity Provider|
Import SP Metadata Provided by the Liferay DXP Cloud Team¶
Once the SP metadata has been received from the DXP Cloud team, enter the SP metadata values in into the IdP.
Once SSO is enabled, Users with the appropriate identity provider(s) may use it to authenticate.
Once a User authenticates with SSO for the first time, that User account will be changed and they must authenticate using SSO from then on.
To log into DXP Cloud using SSO:
Navigate to https://console.liferay.cloud/login.
Click Login via SSO.
Enter the Company Name in the Organization ID field.
If you have already authenticated on your organization’s SSO, you may not need to proceed through the following steps.
Enter the Email Address in the Email Address field. This must be the same email address stored in the company’s database or directory service (such as an LDAP or ADFS).
Enter the Password in the Password field. This must be the same password associated with the email address stored in the company’s database or directory service.
Click Log in.
Once logged in, the User should see all of his or her projects and environments.