oo
Analytics Cloud
Commerce
DXP / Portal
Liferay Cloud
Reference
Configuring Single Sign-On

Configuring Liferay Authentication With PingOne Using SAML

This tutorial guides you through the basic steps needed to integrate PingOne, your Identity Provider (IdP), with your Liferay environment using Security Assertion Markup Language (SAML).

Prerequisites

  • PingOne environment
  • Liferay DXP environment
  • A user who has administrative access to PingOne environment
  • A user who has administrative access to Liferay’s Control Panel

PingOne Configuration

  1. Sign in to your PingOne environment.

  2. Go to Applications → Application, and click to add a new application.

    Click to add a new application

  3. Fill out the Application name and select the Application Type.

    1. Application Name: Liferay DXP - SAML

    2. Description: (Optional) Enter a description

    3. Icon: (Optional) Upload an icon

    4. Application Type: SAML Application

    Fill out the Application name and select the Application Type

  4. Click Configure.

  5. In the SAML Configuration section, enter your application metadata.

    1. Provide Application Metadata: select Manually Enter

    2. ACS URL: https://[your_instance_url]/c/portal/saml/acs

    3. Entity ID: samlsp

    Enter your application metadata on SAML Configuration

  6. Click Save.

  7. Navigate to the Configuration tab and click the Edit icon.

    1. Signing Certificate: Choose between Sign Response or Sign Assertion & Response depending on your use case. See Defining signature policy (SAML) from PingOne to learn more about these choices.

    2. Signing Algorithm: RSA_SHA256

    3. Encryption: Leave unchecked.

      Note

      We recommend the use of encryption, however for the purpose of this tutorial we are leaving this unchecked. Enabling encryption may require additional configuration with your infrastructure.

    4. SLO endpoint: https://[your_instance_url]/c/portal/saml/slo

    5. SLO binding: HTTP POST

    6. Assertion validity duration (in seconds): 3000

  8. Click Save.

  9. Navigate to the Attribute Mappings tab and add the following attributes.

    Attributes PingOne Mappings
    saml_subject Email Address
    emailAddress Email Address
    firstName Given Name
    lastName Family Name
    screenName User ID

  10. Click Save.

    Note

    Create your users by navigating to Directory → Users.

  11. Navigate to the Configuration tab, and download the Metadata .xml file. We will use it while configuring Liferay DXP

  12. Enable the access to this application through the toggle switch on the top right.

    Enable the access to this application through the toggle switch on the top right

Liferay DXP Configuration

  1. On your Liferay DXP instance, navigate to Control PanelSecuritySAML Admin.

  2. Set the SAML Role to Service Provider, and Entity ID to samlsp. Click Save.

  3. Click Create Certificate under the certificate and private key section. Import or create your certificate.

    Set the SAML Role to Service Provider, and Entity ID to samlsp, and add a certificate

  4. Go to the Service Provider tab.

    1. Sign Authn Requests? - Enable

    2. Sign Metadata? - Enable

    3. SSL Required - Enable

    4. Allow showing the login portlet. - Enable

    5. Enable “Require Assertion Signature?”, if you configured PingOne to Sign Assertion & Response

  5. Click Save.

  6. Click the Identity Provider Connections tab. Click Add Identity Provider and set the following:

    1. Name: PingOne

    2. Enter the entity ID (found as entityID in the xml file donwloaded on the previous section)

    3. Check the Enabled box

    4. Under the Metadata section, enter your IdP’s Metadata URL. This can be found under the Configuration tab, on your PingOne environment.

    5. Set Name Identifier Format to Email Address

    6. Enter the following attribute mappings under Basic User Fields:

      User Field Expression SAML Attribute
      emailAddress emailAddress
      firstName firstName
      lastName lastName
      screenName screenName

    7. Click on Save

    Add the identity provider connection

  7. Go back to General tab and make sure the Enabled checkbox is checked. Click Save.

    Check the Enabled checkbox in the General tab

Validation

  1. Go to your Liferay instance, and open a new browser or sign out of your account.

  2. Click on the Sign In button and you should be redirected to PingOne’s login page.

    Click on the Sign In button and you should be redirected to PingOne's login page

  3. Type in the username and password for your user. You have successfully logged in.

  4. Sign back in with your Liferay administrator account. Navigate to Control PanelUsers and Organizations, and verify that the account came into Liferay

    Since this user is not assigned to any roles, once you log in, this is what you will see.

Conclusion

Congratulations! Users may now authenticate to your environment by using PingOne.

Tips and Troubleshooting

INVALID_ACS_URL

If you encounter ErrorCode: INVALID_ACS_URL, verify that your ACS URLs are configured correctly in PingOne with the appropriate path and Hypertext Transfer Protocol (HTTP or HTTPS). You can find them in your PingOne account by navigating to the application you created → Configuration tab → Edit icon.

INVALID_ACS_URL error when trying to sign in to Liferay.

Capability:
Platform
Deployment Approach:
Liferay PaaS
Liferay SaaS
Liferay Self-Hosted
Feature:
DXP Configuration
Identity Management and Authentication