oo
Authorizing and Single Sign-On

Authenticating with SAML

When authenticating with SAML, Liferay can serve as either the service provider (SP) or the identity provider (IdP). See authenticating with SAML to learn more.

Clarity Vision Solutions has grown by acquiring Fabulous Frames. As they look to the possibility of acquiring another company, the IT team decides to utilize SAML to centralize the storing and managing of user credentials. Follow the steps below to see this in action.

Setting Up an Identity Provider

  1. Start a Liferay container to be the identity provider.

    docker run -it -m 8g -p 7080:8080 \
   --env LIFERAY_SETUP_PERIOD_WIZARD_PERIOD_ENABLED=true \
   --name liferayidp liferay/dxp:latest

  2. Set up the administrator account.

    • Navigate to localhost:7080.
    • Enter Support as the first name.
    • Enter Support as the last name.
    • Enter support@clarityvisionsolutions.com as the email.
    • Click Finish Configuration.
    • On the next page, set the password to learn.
    • Click Save.

  3. Configure a new identity provider.

    • Navigate to Global Menu (Global Menu) → Control PanelSAML Admin.
    • Under the general tab, select Identity Provider as the SAML role.
    • Enter the entity ID as liferayidp.
    • Click Save.
    • Click Create Certificate under the certificate and private key section.
    • Enter the common name as foo.
    • Scroll down to the bottom. Input the key password as learn.
    • Click Save.
    • Finally, tick the Enabled checkbox under the general tab and click Save.

Setting Up a Service Provider

  1. Start a Liferay container to be the service provider.

    docker run -it -m 8g -p 8080:8080 --name liferaysp liferay/dxp:latest

  2. Navigate to localhost:8080 and log in as the administrator (i.e. test@liferay.com:test). Note, you may need to access each container in a different browser.

  3. Navigate to Global Menu (Global Menu) → Control PanelSAML Admin.

  4. Configure a new service provider.

    • Under the general tab, select Service Provider as the SAML role.
    • Enter the entity ID as liferaysp.
    • Click Save.
    • Click Create Certificate under the certificate and private key section..
    • Enter the common name as foo.
    • Scroll down to the bottom. Input the key password as learn.
    • Click Save.
    • Finally, tick the Enabled checkbox under the general tab and click Save.

Linking the SP and IdP

In the liferaysp container (localhost:8080), navigate to Global Menu (Global Menu) → Control PanelSAML Admin. Click the Identity Provider Connections tab.

  1. Create an IdP connection.

    • Click Add Identity Provider.
    • Enter the name as liferayidp.
    • Enter the entity ID as liferayidp.
    • Tick the Enabled checkbox.
    • Enter the metadata URL as http://[IP Address]:7080/c/portal/saml/metadata. Note, replace [IP address] with your machine’s local IP address.
    • Under attribute mapping, use the drop-down list and select emailAddress. Set the SAML attribute as emailAddress.
    • Click the (Add icon) for another entry. Use the drop-down list and select firstName. Set the SAML attribute as firstName.
    • Click the (Add icon) for another entry. Use the drop-down list and select lastName. Set the SAML attribute as lastName.
    • Click the (Add icon) for another entry. Use the drop-down list and select screenName. Set the SAML attribute as screenName.
    • Click the (Add icon) for another entry. Use the drop-down list and select UUID. Set the SAML attribute as UUID.
    • Click Save at the bottom of the page.

  2. Next, in the liferayidp container (localhost:7080), navigate to Global Menu (Global Menu) → Control PanelSAML Admin. Click the Service Provider Connections tab.

    • Click Add Service Provider.

    • Enter the name as liferaysp.

    • Enter the entity ID as liferaysp.

    • Tick the Enabled checkbox.

    • Enter the metadata URL as http://[IP Address]:8080/c/portal/saml/metadata. Note, replace [IP address] with your machine’s local IP address.

    • Enter the name identifier attribute name as emailAddress.

    • Tick the Attributes Enabled checkbox.

    • In the attributes text box, enter the following attributes:

      firstName
lastName
emailAddress
screenName
uuid

    • Click Save at the bottom of the page.

Testing the SAML connection

  1. In the liferaysp container (i.e. localhost:8080), navigate to Global Menu (Global Menu) → Control PanelUsers and Organizations. Note that the Test Test administrator is the only user listed.

  2. Click the user profile image in the top right and click Sign Out. Sign in with the credentials support@clarityvisionsolutions.com:learn. Note the liferayidp container verified the user and provided successful login.

warning

To make working with the rest of the course easier, disable SAML after completing this exercise.

Next: Authorizing with OAuth2

Relevant Concepts