Recipe
Published August 06, 2024

Integrate Okta with Liferay DXP using OpenID Connect

Recipes are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve Recipes!

Introduction

This recipe guides you through the steps to integrate Okta, your Identity Provider (IdP), with your Liferay environment using OpenID Connect.

Prerequisites

  • Okta Dev account

  • Liferay DXP environment

  • Administrative access to Okta Admin Console

  • Administrative access to Liferay's Control Panel

Steps

  1. Log in to Okta Dev and navigate to Applications → Add Application → Create App Integration.

  2. Select OIDC - OpenID Connect, under Sign-in method, and Web Application, under Application type.

  3. Enter Liferay DXP - OIDC as the app integration name.

  4. For grant types, select Authorization Code and Refresh Token.

  5. Enter https://[your_instance_url]/c/portal/login/openidconnect for the sign-in redirect URIs.

  6. Enter https://[your_instance_url] for the sign-out redirect URIs.

  7. Under assignments, select Skip group assignment for now.

  8. Click Save.

  9. On the Assignments tab, assign users to this application.

  10. Note

    Make sure to assign yourself and provision your own user account so that you will still be able to log in as the Liferay administrator.

  11. Now obtain the endpoint URLs: In your Okta Dev account, go to the side panel and navigate to Security → API.

  12. Under the “Authorization Servers” tab, locate the server named default and click on it to edit its configuration.

  13. Click on the "Metadata URI" link, which typically looks like this: https://dev-123456.okta.com/oauth2/default/.well-known/oauth-authorization-server. Here are examples:

  14. This will give you the necessary URLs, with the exception of /userinfo endpoint. You can construct that endpoint by combining your base URL with the Auth Server name. For example: https://dev-123456.okta.com/oauth2/default/v1/userinfo.

  15. Now configure the Liferay DXP instance: On your DXP instance, navigate to Global Menu → Control Panel → Instance Settings → Security → SSO.

  16. Go to the OpenID Connect Provider Connection tab and add a new connection entry.

  17. Fill in the fields with the data you find at the endpoint URLs, as shown in the table below.

    Field Data
    Provider Name Okta OIDC
    Scopes scopes_supported
    Authorization Endpoint authorization_endpoint url
    Issuer URL issuer url
    JWKS URI jwks_uri url
    Subject Types subject_types_supported
    Token Endpoint token_endpoint url
    User Information Endpoint Combine your base URL with the Auth Server name. For example: https://dev-123456.okta.com/oauth2/default/v1/userinfo 
    OpenID Connect Client ID  Under your application's General tab in Okta
    OpenID Connect Client Secret  Under your application's General tab in Okta
  18. Enable OpenID Connect: Navigate to Global Menu → Control Panel → Configuration → Instance Settings.

  19. Click on SSO under the security section.

  20. Go to the OpenID Connect tab, click the Enabled checkbox and click Save.

  21. To validate the configuration, in your Liferay DXP instance, click on the Sign In button and choose OpenId Connect.

  22. Note

    By default, Liferay DXP requires new users verify their email address upon first login. This requires Liferay DXP to have a configured connection to a mail server, in order to send the verification emails. To disable this requirement navigate to Control Panel → Instance Settings → Platform → User Authentication and unselect the checkbox for "Require strangers to verify their email address”.

  23. Choose Client to Okta OIDC from the list.

  24. You are redirected to sign in to Liferay DXP using your Okta account.

Conclusion

Your Liferay installation now supports authentication using Okta and OpenID Connect!

Tips

Tips

Sign-in and Sign-out Redirect URIs

If you encounter a "400 Bad Request" error, verify that your sign-in and sign-out redirect URIs are configured correctly in Okta with the appropriate path and Hypertext Transfer Protocol (HTTP or HTTPS). You can find them in your Dev Okta account by navigating to the application you created → General tab → General Setting → Login section. 

Recipe
15 Minutes

Capabilities

Product

Education

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy