Using SSO with Liferay Cloud

Customers may use their SAML 2.0 compliant Single Sign-On Identity Providers to authenticate Users to the Liferay Cloud platform. This document will detail the process to enable this integration.

Using SAML to execute SSO requires three agents: the Client, the Service Provider (SP), and the Identity Provider (IdP). When the client tries to connect to the Service Provider, the Service Provider will redirect the client to the Identity Provider. After the client is authenticated by the Identity Provider, the Identity Provider will grant the access to the client’s credentials to the Service Provider.

In this scenario, Liferay Cloud functions as the Service Provider, the customer trying to log into Liferay Cloud is the client, and the Identity Provider is an enterprise directory solution managed by the customer.

Enabling SSO for a Liferay Cloud Project

To enable SSO for your Liferay Cloud project the following steps need to be taken:

  1. Provide IdP Metadata to the Liferay Cloud Team

  2. Liferay Cloud Team Imports Provided IdP Data and Provides Service Provider (SP) Metadata

  3. Import SP Metadata Provided by the Liferay Cloud Team

Provide Identity Provider Metadata to the Liferay Cloud Team

Client who wish to enable SSO for their Liferay Cloud project will need to provide their IdP system’s metadata which must include the following information:



IdP Issuer

The name of the identity issuer; usually the EntityID attribute of the EntityDescriptor Metadata

IdP Single Sign-On URL

Request endpoint that will receive the SAML Authentication Request (example:

IdP Signature Certificate

Public Key Certificate of the IdP to the SAML message and assertion signatures

IdP Single Sign-On HTTP Method (Request Binding)

The HTTP method supported by the customer’s Identity Provider to receive the Authentication Requests; the only valid answers are POST (the default) and GET

Sign Requests

Set to TRUE if the SAML requests sent to the Customer’s Identity Provider should be signed; otherwise set to FALSE

Request Signature Algorithm (RSA)

If the Sign Requests is set to TRUE, provide the algorithm used to sign the requests. At the moment we support SHA-1 (not recommended) and SHA-256. If the request signing is disabled, this configuration is unnecessary.

ADFS-Specific Information

Clients using Microsoft ADFS should pay attention to the following settings which are required to setup SSO using SAML:



IdP Issuer URI

Located in the General tab’s Federation Service identifier and has a default value of http://domain/adfs/services/trust

IdP Single Sign-On URL

Default setting is /adfs/ls. Example:

IdP Signing Certificate

A DER encoded binary X.509 certificate file

Once the IdP metadata has been generated, open a ticket with the Liferay Cloud team. IdP metadata can be transmitted in the form of either an XML file or a URL endpoint (https://localhost:8080/c/saml/metadata is a basic example).

Liferay Cloud Team Imports Provided IdP Data and Provides Service Provider Metadata

The Liferay Cloud team will then provide the following SP metadata values to the client:



Assertion Consumer Service (ACS) URL

The SAML response received by Liferay Cloud. This will always be an address server from

Audience URL

The URL Liferay Cloud used to access the customer’s Identity Provider

Import SP Metadata Provided by the Liferay Cloud Team

Once the SP metadata has been received from the Liferay Cloud team, enter the SP metadata values in into the IdP.

Using SSO

Once SSO is enabled, Users with the appropriate identity provider(s) may use it to authenticate.


Once a User authenticates with SSO for the first time, that User account will be changed and they must authenticate using SSO from then on.

To log into Liferay Cloud using SSO:

  1. Navigate to

  2. Click Login via SSO.

    Login Page

  3. Enter the Company Name in the Organization ID field.

  4. Click Continue.


    If you have already authenticated on your organization’s SSO, you may not need to proceed through the following steps.

  5. Enter the Email Address in the Email Address field. This must be the same email address stored in the company’s database or directory service (such as an LDAP or ADFS).

  6. Enter the Password in the Password field. This must be the same password associated with the email address stored in the company’s database or directory service.

  7. Click Log in.

Once logged in, the User should see all of his or her projects and environments.

projects page