<div class="d-flex flex-column"> <div class="learn-article-wrapper"> <div class="language-log learn-article-content"> <svg xmlns="http://www.w3.org/2000/svg" class="adm-hidden"> </svg> <h1 id="configuring-saml-at-the-instance-level"><a href="#configuring-saml-at-the-instance-level" id="configuring-saml-at-the-instance-level">Configuring SAML at the Instance Level</a></h1> <p><span class="bdg bdg-primary">Subscription</span></p> <p>Each portal instance can be a SAML provider, either an Identity Provider (IdP) or a Service Provider (SP). Whichever role your DXP instance fills, you can configure it in the same place.</p> <div class="adm-block adm-warning"> <div class="adm-heading"> <svg class="adm-icon"><use xlink:href="#adm-warning" /></svg><span>Warning</span> </div> <div class="adm-body"> <p>The Instance Settings user interface is auto-generated and doesn&rsquo;t provide field validation and other features that make it easier to configure SAML. Please use the <a href="./saml-admin">SAML Admin</a> interface to configure your SAML instance. The Instance Settings interface is documented here for advanced users who want to use it to create a <a href="./saml-admin#saml-settings">configuration file</a>.</p> </div> </div> <ol> <li> <p>Go to <em>Control Panel</em> → <em>Instance Settings</em> → <em>Security</em> → <em>SSO</em> → <em>SAML Provider Configuration</em>.</p> </li> <li> <p>Fill out the form and at the bottom, click <em>Update</em>.</p> </li> </ol> <p><strong>Key Store Credential Password:</strong> Your key store credential password gets you access to the key store.</p> <p><strong>Key Store Encryption Credential Password:</strong> Your key store encryption credential protects this SAML provider configuration in the key store.</p> <p><strong>Require Assertion Signature:</strong> Check this box to require SAML assertions to be individually signed by the IdP in addition to the entire SAML message.</p> <p><strong>Require Authn Request Signature:</strong> Check this box to require each Authn request to be signed by the sending Service Provider. In most cases, this should be enabled.</p> <p><strong>Clock Skew:</strong> Set the tolerance for the time difference between the SP and the IdP in milliseconds.</p> <p><strong>Default Assertion Lifetime:</strong> Define how long in seconds IdP assertions last.</p> <p><strong>Enabled:</strong> Check this box to enable this SAML provider.</p> <p><strong>Entity ID:</strong> Name this SP or IdP.</p> <p><strong>LDAP Import Enabled:</strong> Check this box to import user attributes from the LDAP servers declared in this SP&rsquo;s instance settings.</p> <p><strong>SAML Role:</strong> Choose the role for this provider. Each portal instance can be configured as an Identity Provider (IdP), a Service Provider (SP), or an Identity Broker. Only one role can be active at a time. See <a href="./saml-admin">SAML Admin</a> to learn more about the roles.</p> <p><strong>Session Maximum Age:</strong> The amount of time in seconds the SSO session, managed by the IdP, lasts.</p> <p><strong>Session Idle Timeout:</strong> The amount of time in seconds an idle session lasts before it expires.</p> <p><strong>Sign Authn Requests?:</strong> If configured as an SP, digitally sign Authn requests.</p> <p><strong>Sign Metadata?:</strong> Sign the metadata sent to peer SAML entities.</p> <p><strong>SSL Required:</strong> Check this box to require SSL for the transfer of all SAML messages. All URLs in metadata sent to peers become prefixed with the <code>https</code> protocol.</p> <p><strong>Allow showing the login portlet:</strong> Allow the login portlet to appear when no SAML IdP is matched to the login request. Users in this scenario log in locally to Liferay DXP.</p> <h2 id="related-topics"><a href="#related-topics" id="related-topics">Related Topics</a></h2> <ul> <li><a href="./configuring-saml-at-the-system-level">Configuring SAML at the System Level</a></li> </ul> <div class="learn-article-categories-tags"> <div class="align-items-baseline d-flex mt-2"> <div class="learn-article-category-title mr-2"> Capability: </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?capability=23488679" > <span>Platform</span> </a> </div> </div> <div class="align-items-baseline d-flex mt-2"> <div class="learn-article-category-title mr-2"> Resource Type: </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?resource-type=23488725" > <span>Official Documentation</span> </a> </div> </div> <div class="align-items-baseline d-flex mt-2"> <div class="learn-article-category-title mr-2"> Feature: </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?feature=23488918" > <span>DXP Configuration</span> </a> </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?feature=23489008" > <span>Identity Management and Authentication</span> </a> </div> </div> <div class="align-items-baseline d-flex mt-2"> <div class="learn-article-category-title mr-2"> Deployment Approach: </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?deployment-approach=23490691" > <span>Liferay PaaS</span> </a> </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?deployment-approach=23493273" > <span>Liferay SaaS</span> </a> </div> <div class="learn-article-category-tag mr-2"> <a class="label tag-container" href="/search?deployment-approach=23493270" > <span>Liferay Self-Hosted</span> </a> </div> </div> </div> <div class="article-related-how-to"> </div> </div> </div> </div>