Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Setting Up OpenAM With Liferay Portal 6 on Tomcat

Written By

Brett Ripley

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber.

This article will demonstrate how to integrate OpenAM (formerly OpenSSO) with Liferay Portal to achieve a very basic single sign-on (SSO).

OpenSSO was an open source access management and federation server platform. After changing hands multiple times, the OpenSSO project is currently being developed and supported by ForgeRock under the name of OpenAM. Throughout the article we will refer to the software by it's current name (OpenAM) for the sake of simplicity.

While OpenAM can be installed on a separate server, for the purposes of this article we will be installing it in the same Tomcat server as Liferay using a Liferay Bundle. Before beginning, make sure that Java is installed (Java 6 is recommended) and your JAVA_HOME variables are set.

Resolution

The first step is to unzip the Liferay Bundle and install it to an appropriate location.

  1. Download the Liferay 6 SP2-Tomcat bundle from the Liferay Downloads page.
  2. Unzip it to a convenient location.

Install OpenAM

  1. Download the latest OpenAM build (we used openam_release9_20100207.war) from Forge Rock: Access Management.
  2. Rename it to something more convenient. We'll call ours "openam.war"
  3. Copy the openam.war to apache-tomcat-6.0.32/webapps/.
  4. In apache-tomcat-6.0.32/bin/, execute startup.bat to start Tomcat. This will deploy OpenAM. After Tomcat has deployed OpenAM, you will see the deployed war file as apache-tomcat-6.0.32/webapps/openam.
  5. Open a browser to http://localhost:8080/openam, which should redirect you to http://localhost:8080/openam/config/options.htm, to complete the OpenAM configuration.
  6. You should see the OpenAM configuration options page. Under Custom Configuration click Create New Configuration. Enter the following:
    1. Default User Password — password
    2. Server Settings — default entries are ok
    3. Configuration Data Store Settings — select First Instance, select OpenAMas Configuration Data Store, leave other entries
    4. User Data Store Settings — select OpenAM User Data Store
    5. -As the warning states, this is only for a basic OpenAM configuration. Once OpenAM is verified to work, you will want to switch to another data store for your production servers.
    6. Site Configuration — select No
    7. Default Policy Agent User — liferay01
    8. Configurator Summary Details - click Create Configuration. This will create the configuration for your OpenAM server.
  7. When this completes, in the Configuration Complete dialog, click Proceed to Login, which should now redirect you tohttp://localhost:8080/openam/UI/Login. Type amAdmin as the username, password as the password, and click Log in. You shoudl now see the OpenAM Console.

Additional OpenAM Configuration

To get OpenAM to work correctly with Liferay, you need to set Encode Cooke Value to Yes as well as change a default property. This will prevent infinite redirection between Liferay and OpenAM on login.

  1. In the OpenAM Console, select the Configuration tab.
  2. Select the Servers and Sites tab.
  3. Click Default Server Settings.
  4. Select the Security tab.
  5. In the Cookie section, select the Yes checkbox beside Encode Cookie Value.
  6. Click Save.
  7. Select the Advanced tab.
  8. Find the com.iplanet.am.cookie.c66Encode property, and set the value to true.
  9. Click Save.

Add the Default Liferay user to OpenAM

  1. In the OpenAM Console, select the Access Control tab.
  2. Click the / (Top Level Realm) realm.
  3. Select the Subjects tab.
  4. Click New...
  5. Setup the default Liferay user:
    1. ID — test
    2. First Name — Test
    3. Last Name — Test
    4. Full Name — Test Test
    5. Password — password
    6. Click OK to create the user.
  6. Click Test Test to add the email address. Enter test@liferay.com for theEmail Address, and click Save.

Integrate Liferay Portal with OpenAM

Now you are ready to update Liferay Portal to integrate with OpenAM for authentication.

  1. Using the same browser, open up a new tab and navigate to liferay (http://localhost:8080/).
  2. Login as the admin user (test/test) and navigate to Control Panel → Settings → Authentication → OpenSSO.
  3. Fill in the form to point to your OpenAM instance. If you've been following this guide, those values will be:
    1. Check Enabled box.
    2. Login URL: http://localhost:8080/openam/UI/Login?goto=http://localhost:8080/c/portal/login
    3. Logout URL: http://localhost:8080/openam/UI/Logout?goto=http://localhost:8080/web/guest/home
    4. Service URL: http://localhost:8080/openam/
    5. Screen Name Attribute: uid
    6. Email Address Attribute: mail
    7. First Name Attribute: givenname
    8. Last Name Attribute: sn
  4. Make sure that this configuration can connect with the "Test OpeSSO Configuration"
  5. Once Liferay has started, open a browser to http://localhost:8080. Click "Sign in" in the top right corner of the screen and you should be redirected to the OpenAM login page (http://localhost:8080/openam/UI/Login). Enter test for the User Name, and password for the Password. Click Log In.

If everything is set up correctly, you will be authenticated against the "subjects" list in OpenAM, and redirected to Liferay.

Now that Liferay is using OpenAM for authentication, if you create a new user in OpenAM, that user will also be created in Liferay on the first log in. That newly created user in Liferay will only have the basic information filled in - First Name, Last Name, Screenname, Email Address - and will have the default Roles, Groups, and Organizations assigned.

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?