Authenticating with SAML
The SAML (Security Assertion Markup Language) adapter provides Single Sign On (SSO) and Single Log Off (SLO) in your deployment. SAML works by using Identity Providers (IdP) and Service Providers (SP):
Identity Provider: A trusted system that provides single sign-on for users to access other websites.
Service Provider: A website that hosts applications and grants access only to identified users with proper credentials.
Liferay can serve either as the Service Provider (SP) or the Identity Provider (IdP).
A single Liferay DXP instance is either the SP or the IdP in your SSO setup; it can’t be both. You can, however, use separate instances for both purposes (for example, one instance is the SP and another is the IdP).
You can jump right to configuring SAML or learn how it works:
- SAML Authentication Process Overview
- Configuring SAML at the System Level
- SAML Admin
- Importing User Groups’ Memberships from an External IdP Through SAML
- Configuring SAML at the Instance Level
- SAML Configuration Reference
Technical Standards and Specifications
SAML is an OASIS Open standard. Liferay’s SAML implementation adheres to these standards as written, to ensure interoperability and reduce vendor lock-in. If users encounter vendor-specific features outside the standards, Liferay prefers to address them through external solutions, rather than making them part of the product.
Liferay’s SAML implementation focuses primarily on the Assertions and Protocols and the Bindings documents. In the table below, the key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in RFC 2119.
- Parts marked by MUST are implemented and supported.
- Parts marked by SHOULD and MAY (and related terms) may be implemented already or upon request, at Liferay’s discretion.
| Specification | Description | Implemented in Liferay DXP | Link |
|---|---|---|---|
| Core | This specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information. | All MUST is implemented and supported. | Documentation |
| Bindings | This specification defines protocol bindings for the use of SAML assertions and request-response messages in communications protocols and frameworks. | All MUST is implemented and supported. | Documentation |
| Profiles | This specification defines profiles for the use of SAML assertions and request-response messages in communications protocols and frameworks, as well as profiles for SAML attribute value syntax and naming conventions. | All MUST of Web Browser SSO and Single Logout Profiles are implemented and supported. | Documentation |
| Metadata | SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way. This document defines an extensible metadata format for SAML system entities, organized by roles that reflect SAML profiles. Such roles include that of Identity Provider, Service Provider, Affiliation, Attribute Authority, Attribute Consumer, and Policy Decision Point. | The necessary parts of the specification that SAML metadata generation logic in Liferay DXP needs is implemented and supported. | Documentation |
| Authentication Context | This specification defines a syntax for the definition of authentication context declarations and an initial list of authentication context classes for use with SAML. | Not supported. | Documentation |
| Conformance | This normative specification provides the technical requirements for SAML V2.0 conformance and specifies the entire set of documents comprising SAML V2.0. | All MUST of Web Browser SSO and Single Logout profiles are implemented and supported. | Documentation |