Recipe
Published August 02, 2024

Configuring Liferay Authentication With PingOne Using SAML

While we make every effort to ensure this Recipe is accurate, it may not always reflect the most recent updates or official guidelines. We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Introduction

This recipe guides you through the basic steps needed to integrate PingOne, your Identity Provider (IdP), with your Liferay environment using Security Assertion Markup Language (SAML).

Prerequisites

  • PingOne environment

  • Liferay DXP environment

  • A user who has administrative access to PingOne environment

  • A user who has administrative access to Liferay's Control Panel

Steps

  1. Sign in to your PingOne environment.

  2. On the left sidebar menu, go to ApplicationsApplications.

  3. Click the Add button to create a new application.

  4. Enter these values and click Configure:

    Field Value
    Application Name Liferay DXP - SAML
    Description (Optional)
    Icon (Optional)
    Application Type SAML Application
  5. Under SAML Configuration, enter your application metadata and click Save.

    Field Value
    Provide Application Metadata Manually Enter
    ACS URLs https://[your_web_server]/c/portal/saml/acs
    Entity ID samlsp
  6. Go to Configuration and click the Edit icon.

  7. Enter these values and click Save:

    Field Value
    Signing Certificate

    Choose between Sign Response or Sign Assertion & Response according to your use case.

    See Defining signature policy (SAML) from PingOne to learn more about these choices.

    Signing Algorithm RSA_SHA256
    Encryption Unchecked
    SLO endpoint https://[your_web_server]/c/portal/saml/slo
    SLO binding HTTP POST
    Assertion validity duration (in seconds) 3000
  8. Go to Attribute Mappings, add these attributes, and click Save:

    Attributes PingOne Mappings
    saml_subject Email Address
    emailAddress Email Address
    firstName Given Name
    lastName Family Name
    screenName User ID
  9. Go to Configuration, and download the Metadata XML file.

    You will use it in a later step to configure Liferay DXP.

  10. Click the toggle switch in the top right corner to enable the application.

  11. Now configure Liferay DXP: On your Liferay DXP instance, open the Global Menu and go to Control Panel → Security → SAML Admin.

  12. Under the General tab, set these values and click Save:

    Field Value
    SAML Role Service Provider
    Entity ID samlsp
  13. Warning

    Do not enable SAML until you have finished configuring all settings.

  14. Create a Certificate and Private Key. An Encryption Certificate is not needed.

  15. Go to the Service Provider tab, ensure these settings are checked, and click Save:

    • Sign Authn Requests?

    • Sign Metadata?

    • SSL Required

    • Allow showing the login portlet.

    • Enable “Require Assertion Signature?” if you chose the Sign Assertion & Response configuration option in PingOne.

  16. Go to the Identity Provider Connections tab.

  17. Click Add Identity Provider and configure these settings:

    Field Value
    Name PingOne
    Entity ID Enter the entityID found in the Metadata XML file you downloaded from PingOne
    Enabled Checked
    Upload Metadata XML Checked
    Metadata XML Upload the Metadata XML file
    Name Identifier Format Email Address
  18. Under Attribute Mapping, add these Basic User Fields:

    User Field Expression SAML Attribute
    emailAddress emailAddress
    firstName firstName
    lastName lastName
    screenName screenName
  19. Click Save.

  20. Go back to the General tab, check Enabled, and click Save.

    You can now use PingOne with SAML to authenticate in your Liferay instance.

  21. To validate your configuration: Log out of your current user.

  22. Click Sign In

    This redirects you to PingOne's login page.

  23. Type in the user name and password for your user.

    Once you've successfully logged in, your PingOne user should be registered in Liferay.

  24. Sign back in as your Liferay admin user.

  25. Open the Global Menu and go to Control Panel → Users and Organizations. Verify that your PingOne user displays on the list.

Conclusion

Congratulations! Users may now authenticate to your environment using PingOne.

Tips

Tips

INVALID_ACS_URL

If you encounter ErrorCode: INVALID_ACS_URL, verify that your ACS URLs are configured correctly in PingOne with the appropriate path and Hypertext Transfer Protocol (HTTP or HTTPS). You can find them in your PingOne account by navigating to the application you created → Configuration tab → Edit icon.

Recipe
20 Minutes

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy