Configuring Liferay Authentication With PingOne Using SAML
This tutorial guides you through the basic steps needed to integrate PingOne, your Identity Provider (IdP), with your Liferay environment using Security Assertion Markup Language (SAML).
Prerequisites
- PingOne environment
- Liferay DXP environment
- A user who has administrative access to PingOne environment
- A user who has administrative access to Liferay’s Control Panel
PingOne Configuration
-
Sign in to your PingOne environment.
-
Go to Applications → Application, and click to add a new application.
-
Fill out the Application name and select the Application Type.
-
Application Name: Liferay DXP - SAML
-
Description: (Optional) Enter a description
-
Icon: (Optional) Upload an icon
-
Application Type: SAML Application
-
-
Click Configure.
-
In the SAML Configuration section, enter your application metadata.
-
Provide Application Metadata: select
Manually Enter
-
ACS URL:
https://[your_instance_url]/c/portal/saml/acs
-
Entity ID:
samlsp
-
-
Click Save.
-
Navigate to the Configuration tab and click the Edit icon.
-
Signing Certificate: Choose between
Sign Response
orSign Assertion & Response
depending on your use case. See Defining signature policy (SAML) from PingOne to learn more about these choices. -
Signing Algorithm:
RSA_SHA256
-
Encryption: Leave unchecked.
NoteWe recommend the use of encryption, however for the purpose of this tutorial we are leaving this unchecked. Enabling encryption may require additional configuration with your infrastructure.
-
SLO endpoint:
https://[your_instance_url]/c/portal/saml/slo
-
SLO binding:
HTTP POST
-
Assertion validity duration (in seconds):
3000
-
-
Click Save.
-
Navigate to the Attribute Mappings tab and add the following attributes.
Attributes PingOne Mappings saml_subject Email Address emailAddress Email Address firstName Given Name lastName Family Name screenName User ID -
Click Save.
NoteCreate your users by navigating to Directory → Users.
-
Navigate to the Configuration tab, and download the Metadata .xml file. We will use it while configuring Liferay DXP
-
Enable the access to this application through the toggle switch on the top right.
Liferay DXP Configuration
-
On your Liferay DXP instance, navigate to Control Panel → Security → SAML Admin.
-
Set the SAML Role to Service Provider, and Entity ID to samlsp. Click Save.
-
Click Create Certificate under the certificate and private key section. Import or create your certificate.
-
Go to the Service Provider tab.
-
Sign Authn Requests? - Enable
-
Sign Metadata? - Enable
-
SSL Required - Enable
-
Allow showing the login portlet. - Enable
-
Enable “Require Assertion Signature?”, if you configured PingOne to
Sign Assertion & Response
-
-
Click Save.
-
Click the Identity Provider Connections tab. Click Add Identity Provider and set the following:
-
Name: PingOne
-
Enter the entity ID (found as
entityID
in the xml file donwloaded on the previous section) -
Check the Enabled box
-
Under the Metadata section, enter your IdP’s Metadata URL. This can be found under the Configuration tab, on your PingOne environment.
-
Set Name Identifier Format to Email Address
-
Enter the following attribute mappings under Basic User Fields:
User Field Expression SAML Attribute emailAddress emailAddress firstName firstName lastName lastName screenName screenName -
Click on Save
-
-
Go back to General tab and make sure the
Enabled
checkbox is checked. Click Save.
Validation
-
Go to your Liferay instance, and open a new browser or sign out of your account.
-
Click on the Sign In button and you should be redirected to PingOne’s login page.
-
Type in the username and password for your user. You have successfully logged in.
-
Sign back in with your Liferay administrator account. Navigate to Control Panel → Users and Organizations, and verify that the account came into Liferay
Conclusion
Congratulations! Users may now authenticate to your environment by using PingOne.
Tips and Troubleshooting
INVALID_ACS_URL
If you encounter ErrorCode: INVALID_ACS_URL
, verify that your ACS URLs are configured correctly in PingOne with the appropriate path and Hypertext Transfer Protocol (HTTP or HTTPS). You can find them in your PingOne account by navigating to the application you created → Configuration tab → Edit icon.