Documentation

Using SSO with DXP Cloud

Customers may use their SAML 2.0 compliant Single Sign-On Identity Providers to authenticate Users to the DXP Cloud platform. This document will detail the process to enable this integration.

Using SAML to execute SSO requires three agents: the Client, the Service Provider (SP), and the Identity Provider (IdP). When the client tries to connect to the Service Provider, the Service Provider will redirect the client to the Identity Provider. After the client is authenticated by the Identity Provider, the Identity Provider will grant the access to the client’s credentials to the Service Provider.

In this scenario, DXP Cloud functions as the Service Provider, the customer trying to log into DXP Cloud is the client, and the Identity Provider is an enterprise directory solution managed by the customer.

Enabling SSO for a DXP Cloud Project

To enable SSO for your DXP Cloud project the following steps need to be taken:

  1. Provide IdP Metadata to the DXP Cloud Team

  2. DXP Cloud Team Imports Provided IdP Data and Provides Service Provider (SP) Metadata

  3. Import SP Metadata Provided by the Liferay DXP Cloud Team

Provide Identity Provider Metadata to the DXP Cloud Team

Client who wish to enable SSO for their DXP Cloud project will need to provide their IdP system’s metadata which must include the following information:

Field Description
IdP Issuer The name of the identity issuer; usually the EntityID attribute of the EntityDescriptor Metadata
IdP Single Sign-On URL Request endpoint that will receive the SAML Authentication Request (example: http://adfs.customer.com/saml/sso)
IdP Signature Certificate Public Key Certificate of the IdP to the SAML message and assertion signatures
IdP Single Sign-On HTTP Method (Request Binding) The HTTP method supported by the customer’s Identity Provider to receive the Authentication Requests; the only valid answers are POST (the default) and GET
Sign Requests Set to TRUE if the SAML requests sent to the Customer’s Identity Provider should be signed; otherwise set to FALSE
Request Signature Algorithm (RSA) If the Sign Requests is set to TRUE, provide the algorithm used to sign the requests. At the moment we support SHA-1 (not recommended) and SHA-256. If the request signing is disabled, this configuration is unnecessary.

ADFS-Specific Information

Clients using Microsoft ADFS should pay attention to the following settings which are required to setup SSO using SAML:

Field Description
IdP Issuer URI Located in the General tab's Federation Service identifier and has a default value of http://domain/adfs/services/trust
IdP Single Sign-On URL Default setting is /adfs/ls. Example: http://adfs.example.com/adfs/ls/
IdP Signing Certificate A DER encoded binary X.509 certificate file

Once the IdP metadata has been generated, open a ticket with the DXP Cloud team. IdP metadata can be transmitted in the form of either an XML file or a URL endpoint (https://localhost:8080/c/saml/metadata is a basic example).

DXP Cloud Team Imports Provided IdP Data and Provides Service Provider Metadata

The DXP Cloud team will then provide the following SP metadata values to the client:

Field Description
Assertion Consumer Service (ACS) URL The SAML response received by DXP Cloud. This will always be an address server from https://auth.liferay.cloud
Audience URL The URL Liferay Cloud used to access the customer’s Identity Provider

Import SP Metadata Provided by the Liferay DXP Cloud Team

Once the SP metadata has been received from the DXP Cloud team, enter the SP metadata values in into the IdP.

Using SSO

Once SSO is enabled, Users with the appropriate identity provider(s) may use it to authenticate.

Warning

Once a User authenticates with SSO for the first time, that User account will be changed and they must authenticate using SSO from then on.

To log into DXP Cloud using SSO:

  1. Navigate to https://console.liferay.cloud/login.

  2. Click Login via SSO.

    Login Page

  3. Enter the Company Name in the Organization ID field.

  4. Click Continue.

    Note

    If you have already authenticated on your organization’s SSO, you may not need to proceed through the following steps.

  5. Enter the Email Address in the Email Address field. This must be the same email address stored in the company’s database or directory service (such as an LDAP or ADFS).

  6. Enter the Password in the Password field. This must be the same password associated with the email address stored in the company’s database or directory service.

  7. Click Log in.

Once logged in, the User should see all of his or her projects and environments.

projects page