Authenticating with SAML
When authenticating with SAML, Liferay can serve as either the service provider (SP) or the identity provider (IdP). See authenticating with SAML to learn more.
Clarity Vision Solutions has grown by acquiring Fabulous Frames. As they look to the possibility of acquiring another company, the IT team decides to utilize SAML to centralize the storing and managing of user credentials. Follow the steps below to see this in action.
Setting Up an Identity Provider
-
Start a Liferay container to be the identity provider.
docker run -it -m 8g -p 7080:8080 \ --env LIFERAY_SETUP_PERIOD_WIZARD_PERIOD_ENABLED=true \ --name liferayidp liferay/dxp:latest
-
Set up the administrator account.
- Navigate to
localhost:7080
. - Enter
Support
as the first name. - Enter
Support
as the last name. - Enter
support@clarityvisionsolutions.com
as the email. - Click
Finish Configuration
. - On the next page, set the password to
learn
. - Click
Save
.
- Navigate to
-
Configure a new identity provider.
- Navigate to Global Menu () → Control Panel → SAML Admin.
- Under the general tab, select Identity Provider as the SAML role.
- Enter the entity ID as
liferayidp
. - Click Save.
- Click Create Certificate under the certificate and private key section.
- Enter the common name as
foo
. - Scroll down to the bottom. Input the key password as
learn
. - Click Save.
- Finally, tick the Enabled checkbox under the general tab and click Save.
Setting Up a Service Provider
-
Start a Liferay container to be the service provider.
docker run -it -m 8g -p 8080:8080 --name liferaysp liferay/dxp:latest
-
Navigate to
localhost:8080
and log in as the administrator (i.e.test@liferay.com:test
). Note, you may need to access each container in a different browser. -
Navigate to Global Menu () → Control Panel → SAML Admin.
-
Configure a new service provider.
- Under the general tab, select Service Provider as the SAML role.
- Enter the entity ID as
liferaysp
. - Click Save.
- Click Create Certificate under the certificate and private key section..
- Enter the common name as
foo
. - Scroll down to the bottom. Input the key password as
learn
. - Click Save.
- Finally, tick the Enabled checkbox under the general tab and click Save.
Linking the SP and IdP
In the liferaysp
container (localhost:8080
), navigate to Global Menu () → Control Panel → SAML Admin. Click the Identity Provider Connections tab.
-
Create an IdP connection.
- Click Add Identity Provider.
- Enter the name as
liferayidp
. - Enter the entity ID as
liferayidp
. - Tick the Enabled checkbox.
- Enter the metadata URL as
http://[IP Address]:7080/c/portal/saml/metadata
. Note, replace[IP address]
with your machine’s local IP address. - Under attribute mapping, use the drop-down list and select
emailAddress
. Set the SAML attribute asemailAddress
. - Click the () for another entry. Use the drop-down list and select
firstName
. Set the SAML attribute asfirstName
. - Click the () for another entry. Use the drop-down list and select
lastName
. Set the SAML attribute aslastName
. - Click the () for another entry. Use the drop-down list and select
screenName
. Set the SAML attribute asscreenName
. - Click the () for another entry. Use the drop-down list and select
UUID
. Set the SAML attribute asUUID
. - Click Save at the bottom of the page.
-
Next, in the
liferayidp
container (localhost:7080
), navigate to Global Menu () → Control Panel → SAML Admin. Click the Service Provider Connections tab.-
Click Add Service Provider.
-
Enter the name as
liferaysp
. -
Enter the entity ID as
liferaysp
. -
Tick the Enabled checkbox.
-
Enter the metadata URL as
http://[IP Address]:8080/c/portal/saml/metadata
. Note, replace[IP address]
with your machine’s local IP address. -
Enter the name identifier attribute name as
emailAddress
. -
Tick the Attributes Enabled checkbox.
-
In the attributes text box, enter the following attributes:
firstName lastName emailAddress screenName uuid
-
Click Save at the bottom of the page.
-
Testing the SAML connection
-
In the
liferaysp
container (i.e.localhost:8080
), navigate to Global Menu () → Control Panel → Users and Organizations. Note that the Test Test administrator is the only user listed. -
Click the user profile image in the top right and click Sign Out. Sign in with the credentials
support@clarityvisionsolutions.com:learn
. Note theliferayidp
container verified the user and provided successful login.
To make working with the rest of the course easier, disable SAML after completing this exercise.
Next: Authorizing with OAuth2