Liferay and Single Sign On (SSO) – Whats here and whats coming. By Mark Polly on October 8th, 2012 SSO within Liferay can be implemented via SAML, OAuth, CAS or OpenID. Liferay has supported CAS and OpenID for a couple of versions. SAML is new in 6.1 and OAuth is in the development stage. Liferay Portal supports SAML 2.0 through a plug-in. The plug-in is available for EE version and is not available in the free community edition of Liferay Portal. For OAuth, Liferay can act as a OAuth client, but not as a service provider.
Liferay built the SAML 2.0 plug-in based on OpenSAML. In the current version of Liferay (6.1), configuration is done through preferences and xml files. For SAML, Liferay 6.2 adds the following features Adds a GUI to configure endpointsCaching of Metadata ( this is a problem in 6.1 now because data is pre-loaded for >50 endpoints).Manual reload of MetadataHTTP based Single Logout (only SOAP in 6.1)Assertions containing user Sites (in 6.1)Site RolesUser GroupRolesExpando (in 6.1) OAuth is configured through the OAuth portlet. Liferay SAML Single Sign-On Integration — AssureBridge, Inc. The AssureBridge SAMLConnect™ service provides a powerful solution that will allow you to quickly, easily, and reliably enable single sign-on (SSO) to or from a Liferay portal.
We support both CE and EE of the Liferay product. The AssureBridge Liferay SSO adapter is pre-integrated into the LifeRay portal and offers the following features: Enables Liferay for inbound or outbound SSO connections using standards protocols such as SAML 1.1, SAML 2.0, OpenID or WS-Federation SP-initiated LoginIDP-initiated LoginSP-initiated LogoutIDP-initiated LogoutAllows user profile information (e.g. email, nickname, job title) to be passed securely into the LifeRay database as part of the single sign-on experienceAllows Liferay user information to be synchronized with external systemsSupports a number of hooks to customize login and logout behavior Custom IDP partner name provider for SP to map incoming requests to partner IDP.
Learn more about: For more details and a demo please contact us directly. » Why you should not use CAS 3.5.1 as SAML 2.0 Identity Provider Technical Notes. Last week I spent some time investigating SAML 2.0 support of Central Authentication Service 3.5.1 (latest version of CAS at the moment of writing). The results were disappointing.
CAS was developed by Yale University in early 2000′s and was donated to open source in 2004. It is primary used in the academic networks, but the use is now extended to the enterprise world. Initial versions of CAS were built around own custom interoperability protocol. The skeleton for SAML 2.0 support was implemented around 2003. But even if you don’t really care about spec compatibility, SAML 2.0 implementation of CAS is extremely limited and is not fully secure. First, CAS implementation does not support SAML 2.0 metadata. As another implication of missing metadata notion, CAS will not have the pre-configured return URL for each SP and will rely on “AssertionConsumerServiceURL” request attribute.
The content of the resulting response is also far from being perfect. I Hate SAML! | /sys/toilet. Lately I’ve been working a lot with SAML, and I have to say it’s an extremely complex, and obfuscated protocol. The best analogy I can come up with uses our infamous light bulb jokes. (“How many programmers does it take?”) SAML is like building a mini nuclear reactor to power a light bulb in your office. It’s certainly geeky, but what the fuck is the point? You’ve over engineered something that should be very simple: Single Sign-On. Besides that point, who the hell cares about SSO? OAuth is a different story. No, the reason SAML exists and has amazing support is due to one thing: politics. There are so many rotten things about this protocol. I really despise XML as a data protocol.
For implementations of the SAML protocol, we have two primary choices in the open source (free) world: Shibboleth, and ZXID. I’ve eventually found myself in a mixed up environment, using Shibboleth as an IdP and writing my own SP implementation using the ZXID libraries. Forget about support with Shibboleth. Consortium - OpenSAML-Java. OpenSAML-Java is a low-level library written in Java that provides support for producing and consuming SAML messages, creating and evaluating digitally signed and encrypted content, and working with SAML bindings. Extensive support for consuming SAML metadata is also provided, along with an API for establishing security policies around the consumption of SAML messages. This library is intended for people needing to write SAML identity providers, service providers, and certain types of advanced clients.
It is not by itself an implementation of any of those things, and developers are strongly encouraged to evaluate existing products before creating their own as doing so is a lot of work and prone to error unless you have significant expertise in SAML. The low-level nature of the library and lack of documentation makes the software a poor choice for beginners or those without extensive background in the area. Java bean APIs for constructing and interrogating SAML messages. Home - OpenSAML 2.x - Confluence.
Skip to end of metadataGo to start of metadata Welcome to the OpenSAML website. OpenSAML is a set of open source C++ & Java libraries meant to support developers working with the Security Assertion Markup Language (SAML). OpenSAML 2, the current version, supports SAML 1.0, 1.1, and 2.0. Additionally, various development groups have found the framework created to support OpenSAML 2 useful for their own work. We are in the process of integrating their code supporting WS-Addressing, WS-Security, WS-Trust and XACML. The OpenSAML libraries do not provide a complete SAML identity or service provider. Before starting you may wish to check the Frequently Asked Questions.
Projects Using OpenSAML The following projects are those that we know to be using OpenSAML. Thanks to... The following organizations have provided substantial resources to the development of OpenSAML over the years. The Ohio State UniversityGeorgetown UniversityInternet2NSF Middleware InitiativeSWITCHEGEE. Saml-iis.html. By Alex Rykov 04/04/2007 Implementing single sign on (SSO) for several sites is a problem that has a multitude of variations and quite a few solutions. Security Assertion Markup Language (SAML) has emerged in the last five years to address this problem in a standard way, and BEA WebLogic Server 9 offers extensive support for it.
Unfortunately, simple SAML configuration examples, especially for cross-platform scenarios, are hard to come by. This tutorial describes a simple SAML SSO scenario between Microsoft Internet Information Services Server (IIS) and BEA WebLogic Server 9. Introduction Recently, I did some work for a customer who decided to add WebLogic Portal 9 into a predominantly ASP.NET Web infrastructure. In the past, that would have meant a lot of work—probably writing another clunky security provider. SAML is an XML-based standard for communicating user authentication, entitlement, and attribute information. Solution Figure 1. Protecting a Web Application Key Pair Example 1. Top 20 NuGet packages for SAML - NuGet Must Haves. An Open Source ASP.NET SAML2 Service Provider | Passion for Coding. I’m happy to announce an open source ASP.NET SAML2 Service Provider. SAML2 is a common standard for single sign on in enterprise environments. A Service Provider in SAML2 is a web site that allows log on through SAML2 Identity Provider (IdP).
Implementing a Service Provider requires issuing authentication requests (AuthnRequest) and handling the returned response. At Kentor we have seen an increase in the demand for using SAML2 authentication from our customers. When doing a recent project we didn’t find any suitable component, so we had to roll our own. Knowing that we would need to do this more times for other applications we decided to write a more general, standalone component that we can reuse in other projects. We are now also releasing it as open source for anyone to use for free. The library is hosted at github and is released under an LGPL license.
The core part of the library is the Saml2AuthenticationModule IIS module that handles the authentication. Saml 2.0 - SSO using SAML2.0 in asp.net. Configure SSO in Liferay with OKTA using SAML 2.0 protocol - Blog. In this blog, I am listing the steps to configure SSO in Liferay with OKTA using SAML 2.0 protocol. OKTA is an enterprise grade identity management service, built from the ground up in the cloud. Okta identity management service provides directory services, SSO, strong authentication, provisioning, workflow and built in reporting. If you are not familiar with SAML, check out awesome blog by Mika Koivisto. I used Liferay 6.1 EE GA2 bundled with Tomcat in this exercise. I followed these steps: Create account at for enterprise trial. 3. 4. 5. 6. 7. Save content of IDP metdata into octametadata.xml file.
Now we are done with OKTA (IDP) configuration setup. Configuration at Liferay (SP) Side: Extract Liferay bundle into some location. 4. Keytool -genkeypair -alias samlspdemo -keyalg RSA -keysize 2048 -keypass password -keystore data/keystoresp.jks 5. Saml.role=sp saml.entity.id=samlspdemo saml.metdata.paths={location of saved octametdata.xml} # # Keystore # saml.keystore.type=jks. Getting started with Liferay SAML 2.0 Identity Provider - Blog.
Liferay 6.1 EE comes with SAML 2.0 Identity Provider and Service Provider support via SAML plugin. If you are not familiar with SAML check out my Introduction to SAML presentation slides. In this post we will configure Liferay to be SAML Identity Provider and configure Salesforce to be a Service Provider. After we are done we have a user that can move from Liferay to Salesforce without requiring to authenticate on Salesforce.
You’ll need following things to complete this by yourself: * Liferay Portal 6.1 EE GA1 Tomcat bundle * SAML Portlet WAR * Salesforce developer account. You can sign-up here for free. The first thing to do is download and install Liferay. Keytool -genkeypair -alias liferaysamlidpdemo -keyalg RSA -keysize 2048 -keypass liferay -storepass liferay -keystore data/keystore.jks You’ll be asked to provide some information that will be in the certificate with the public key. What is your first and last name? Next step is to add SAML configuration to your portal-ext.properties. <? Introduction to SAML 2.0.