Recent Bloggers

Martin Yan

Staff
11 Mensagens
26 de Março de 2015

Annika Sinnecker

Staff
1 Mensagens
25 de Março de 2015

Jan Eerdekens

3 Mensagens
19 de Março de 2015

Shahbaz Khan

1 Mensagens
18 de Março de 2015

Olaf Kock

Staff
97 Mensagens
18 de Março de 2015

Juan Fernández

Staff
18 Mensagens
18 de Março de 2015

David Truong

Staff
13 Mensagens
14 de Março de 2015

Marcos Castro

Staff
1 Mensagens
11 de Março de 2015

Fady Hakim

Staff
5 Mensagens
11 de Março de 2015

Javier Gamarra

Staff
1 Mensagens
10 de Março de 2015
« Voltar

Getting started with Liferay SAML 2.0 Identity Provider

Company Blogs 27 de Fevereiro de 2012 Por Mika Koivisto Staff

 

Liferay 6.1 EE comes with SAML 2.0 Identity Provider and Service Provider support via SAML plugin. If you are not familiar with SAML check out my Introduction to SAML presentation slides.

In this post we will configure Liferay to be SAML Identity Provider and configure Salesforce to be a Service Provider. After we are done we have a user that can move from Liferay to Salesforce without requiring to authenticate on Salesforce. 

You’ll need following things to complete this by yourself:

* Liferay Portal 6.1 EE GA1 Tomcat bundle
* SAML Portlet WAR
* Salesforce developer account. You can sign-up here for free.

The first thing to do is download and install Liferay. If you need help configuring Liferay refer to Liferay 6.1 User Guide. Once that is done you’ll need to configure the SAML identity provider before deploying the plugin. The IdP needs a private and public key pair for signing SAML messages. It uses Java keystore to store the them. We’ll create the keystore and they key pair using keytool that is part of the JDK. You need to pick a unique entity id for your IdP and a password that is used to protect keystore and the private key. In this example we’ll use liferaysamlidpdemo as the entity id and liferay as the password for both keystore and the key. The keystore is created in LIFERAY_HOME/data/keystore.jks as this is the default location SAML plugin will look for it. You can also configure the location and type of they keystore and will do it here just for reference.

keytool -genkeypair -alias liferaysamlidpdemo -keyalg RSA -keysize 2048 -keypass liferay -storepass liferay -keystore data/keystore.jks

You’ll be asked to provide some information that will be in the certificate with the public key.

What is your first and last name?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your organization?
  [Unknown]:  Liferay SAML IdP Demo
What is the name of your City or Locality?
  [Unknown]: 
What is the name of your State or Province?
  [Unknown]: 
What is the two-letter country code for this unit?
  [Unknown]: 
Is CN=Liferay SAML IdP Demo, OU=Unknown, O=Liferay SAML IdP Demo, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Next step is to add SAML configuration to your portal-ext.properties.

saml.enabled=true
saml.role=idp
saml.entity.id=liferaysamlidpdemo
saml.require.ssl=false
saml.sign.metadata=true

saml.idp.authn.request.signature.required=true

saml.keystore.path=${liferay.home}/data/keystore.jks
saml.keystore.password=liferay
saml.keystore.type=jks

saml.keystore.credential.password[liferaysamlidpdemo]=liferay

Now you can deploy SAML plugin by copying it to LIFERAY_HOME/deploy and starting up tomcat. Wait for the saml-portlet to be deployed and available and then open http://localhost:8080/c/portal/saml/metadata. If you have configured everything correctly you should see the IdP metadata similar to below. I’ve just shortened the data on signature and certificate elements.

<?xml version=“1.0” encoding=“UTF-8”?>
<md:EntityDescriptor xmlns:md=“urn:oasis:names:tc:SAML:2.0:metadata” entityID=“liferaysamlidpdemo”>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
  <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
   <ds:SignatureMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#rsa-sha1”/>
   <ds:Reference URI=“”>
    <ds:Transforms>
     <ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature”/>
     <ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#sha1”/>
    <ds:DigestValue>mVKz/Tv6o40+SrEF595+Gedmoo8=</ds:DigestValue>
   </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>AAJsDF8dJv5XQw6Ty1MSg7 … OXvQw==</ds:SignatureValue>
  <ds:KeyInfo>
   <ds:X509Data>
    <ds:X509Certificate>MIIDjjCCAnagAwIB… </ds:X509Certificate>
   </ds:X509Data>
  </ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor ID=“liferaysamlidpdemo”
  WantAuthnRequestsSigned=“true” protocolSupportEnumeration=“urn:oasis:names:tc:SAML:2.0:protocol”>
  <md:KeyDescriptor use=“signing”>
   <ds:KeyInfo xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
    <ds:X509Data>
     <ds:X509Certificate>MIIDjj …</ds:X509Certificate>
    </ds:X509Data>
   </ds:KeyInfo>
  </md:KeyDescriptor>
  <md:SingleLogoutService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
   Location=“http://localhost:8080/c/portal/saml/slo_redirect”/>
  <md:SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
   Location=“http://localhost:8080/c/portal/saml/sso”/>
  <md:SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
   Location=“http://localhost:8080/c/portal/saml/sso”/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Even though the IdP is configured and functioning it’s not very useful because there’s no Service Providers configured. For this example we are going to use Salesforce developer account to demonstrate single sign-on between Liferay and Salesforce. If you haven’t already signed up for Salesforce developer account do it here.

We’ll need to export the certificate from keystore because Salesforce doesn’t know how to read SAML metadata.

keytool -export -alias liferaysamlidpdemo -file liferaysamlidpdemo.crt -keystore data/keystore.jks -storepass liferay -keypass liferay

Now login to your Salesforce developer account in here. On your dashboard click on Setup. 

 

Then click on Security Controls > Single Sign-On Settings under Administration Setup.

 

Then click on Edit.

Here’s the setting you need:

* SAML Enabled.
* SAML Version: 2.0
* Issuer: liferaysamlidpdemo (this is the entity id of the IdP)
* Identity Provider Certificate: liferaysamlidpdemo.crt which you exported earlier.
* Identity Provider Login URL: http://localhost:8080/c/portal/saml/sso
* SAML User ID Type: Select Assetion contains User’s salesforce.com username
* SAML User ID Location: Select User ID is in the NameIdentifier element of the Subject statement
* Identity Provider Logout URL: http://localhost:8080/c/portal/logout (Salesforce does not support SAML Single Logout Profile)

 

Verify that your setting as correct and then click on Download Metadata. Also note the Entity Id as this will be needed on the IdP side.

Move the downloaded metadata xml to LIFERAY_HOME/data/saml/salesforce-metadata.xml. Now we need to configure the IdP to know about this Service Provider. This is done by telling saml plugin where to find the SAML metadata for Salesforce.

saml.metadata.paths=${liferay.home}/data/saml/salesforce-metadata.xml

If your Salesforce Entity Id is not https://saml.salesforce.com you’ll also need to add following lines to your portal-ext.properties. Note I’m using https://saml.salesforce.com as the entity id but you would replace it with what ever Salesforce reported it to be.

saml.idp.metadata.attributes.enabled[https\://saml.salesforce.com]=true
saml.idp.metadata.attribute.names[https\://saml.salesforce.com]=
saml.idp.metadata.name.id.format[https\://saml.salesforce.com]=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
saml.idp.metadata.salesforce.attributes.enabled[https\://saml.salesforce.com]=true

If you had your tomcat still running just restart it so that the new property value is read. Then login as test@liferay.com / test. Now click on Manage > Site Pages. Click on Add Page. Add following values:

Name: Salesforce
Type: URL
URL:  /c/portal/saml/sso?entityId=https://saml.salesforce.com 

Notice the entityId is the same Entity Id that was shown as entity id on the Salesforce Single Sign-On configuration page.

Go to Control Panel and add a new user with same email address as your Salesforce developer account. Sign out and login with that new account. Now click on the Salesforce page link. If everything was configured correctly you are redirected to Salesforce and you are signed in with your developer account. If you want to be redirected to some other page than they home page you can add a URL parameter RelayState with the page URL you want to be redirected to as the value. For example the URL could look like this /c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=/006/o. This would take me to my Opportunities page directly.

Now sign out from Salesforce and you will be taken back to Liferay and logged out from Liferay. Now if you click on the Salesforce page it will take present you with Liferay login page and after login will take you to Salesforce.

Update: If you need to setup Liferay as SP check out my collegues post Setting up Liferay as Service Provider.

Respostas do tópico Autor Data
Where can I download the SAML Portlet WAR? --... Steven Zhao 28 de Fevereiro de 2012 11:26
It's available in Customer Portal like all EE... Mika Koivisto 28 de Fevereiro de 2012 11:28
Hi Mika, thanks for your post. i am able to use... Kapil Burange 16 de Setembro de 2014 05:22
Hi, One more question i want to ask is the... Kapil Burange 17 de Setembro de 2014 05:05
You'd need to provision the users from your... Mika Koivisto 17 de Setembro de 2014 05:12
is this the only way to register ldap user in... Kapil Burange 17 de Setembro de 2014 05:19
we cannot allow LDAP connectivity to Salesforce... Kapil Burange 17 de Setembro de 2014 05:34
Hi Mika, can you please tell how to pass... Kapil Burange 20 de Novembro de 2014 03:58
Hi Mika, thanks for the reply. i just want to... Kapil Burange 24 de Setembro de 2014 07:04
Cool! Thanks Mika! Jonas Yuan 28 de Fevereiro de 2012 13:53
Thanks Mika. I got the SAML WAR and it works... Steven Zhao 29 de Fevereiro de 2012 09:37
Cool..thnx Mika for sharing this.. Jay Patel 1 de Março de 2012 11:19
great job! Roger CARHUATOCTO 2 de Março de 2012 01:52
Thanks Mika, Very useful blog..... Ankit Srivastava 14 de Março de 2012 01:53
Works very well, however on logout from... Bart Simpson 20 de Março de 2012 04:28
Paul, that's because Salesforce does not... Mika Koivisto 20 de Março de 2012 08:53
Liferay SAML 2.0 IdP support is it only for EE... Anand Anandan 25 de Março de 2012 18:18
The SAML plugin is for EE only. Mika Koivisto 26 de Março de 2012 14:37
[...] I blogged about the Identity Provider... Anônimo 20 de Março de 2012 08:53
I cannot find the SAML portlet war. I looked... Doug Storms 1 de Maio de 2012 08:45
Sorry, I didn't realize the customer portal was... Doug Storms 1 de Maio de 2012 10:13
We tried to use it. It worked nicely, but not... Armaz Mellati 1 de Maio de 2012 23:25
Can some one walk me thru the steps if we want... Vipin Bardia 15 de Maio de 2012 16:22
I don't think AD by itself can be SAML IdP but... Mika Koivisto 15 de Maio de 2012 16:30
Hi Mika, Thanks for prompt response.I will try... Vipin Bardia 15 de Maio de 2012 17:41
Good Information.Thank you Mika Muru Annamalai 23 de Maio de 2012 11:32
Armaz Mellati, yeah the current version of the... Mika Koivisto 23 de Maio de 2012 11:40
Mika, do you have a timeline for adding support... Petr Zalesky 27 de Fevereiro de 2013 11:42
To clarify what "multiple IDPs" mean, Mika are... Christopher Dawson 26 de Março de 2013 14:55
[...] Check this : Link... Anônimo 25 de Maio de 2012 02:40
Is the download for the WAR In the "Official... ryan baldwin 25 de Maio de 2012 08:07
Ryan, this is a EE only plugin so you need to... Mika Koivisto 25 de Maio de 2012 10:52
I have followed the steps to setup liferay as... Harish Kumar 27 de Julho de 2012 03:42
Did you login to Liferay before accessing the... Steven Zhao 30 de Agosto de 2012 07:28
I followed these steps to a T and I keep... Aaron Weikle 1 de Novembro de 2012 10:13
I have followed the steps but when I try to... Imad T. 5 de Junho de 2013 06:44
Has it worked for you, i am getting the... Anup Arya 8 de Julho de 2014 23:22
how do i access the source code for SAML... Venkatesh Prasad 2 de Janeiro de 2013 04:41
HI, Thanks for the plugin - in Service... Al Faller 26 de Fevereiro de 2013 05:53
I need it for WSRP (remote portlets) - How to... haikel thamri 1 de Agosto de 2013 03:56
Haikel, we don't currently support SAML with... Mika Koivisto 1 de Agosto de 2013 11:13
Mika, I went through the setup steps you... Clint Wilde 27 de Agosto de 2013 15:24
If you got UI then use it only because using... Mika Koivisto 27 de Agosto de 2013 15:28
MIka, Thanks for the quick response. Just to... Clint Wilde 27 de Agosto de 2013 15:39
When this blog post was written there was no... Mika Koivisto 28 de Agosto de 2013 11:45
Thanks Mika, that helps. After submitting the... Clint Wilde 28 de Agosto de 2013 13:48
Hi Mika, Do you know when was the UI... Ash Gupta 17 de Setembro de 2013 15:42
The UI should be included in the next release.... Mika Koivisto 17 de Setembro de 2013 15:52
Hi Mika, Thanks for the quick reply! Can I... Ash Gupta 17 de Setembro de 2013 15:58
Mika, I apologize in advance for... Clint Wilde 18 de Setembro de 2013 08:48
Well it depends what you mean by application... Mika Koivisto 18 de Setembro de 2013 11:44
Thanks Mika. I just received more... Clint Wilde 18 de Setembro de 2013 12:07
AttributeQuery is not supported at this point.... Mika Koivisto 18 de Setembro de 2013 12:11
ughh... Thanks. General question to gage... Clint Wilde 18 de Setembro de 2013 12:23
I took a quick look at the spec to refresh my... Mika Koivisto 18 de Setembro de 2013 14:48
Thanks Mika. I may take you up on that when we... Clint Wilde 25 de Setembro de 2013 12:39
Hi Mika, We are also getting this Exception in... Clint Wilde 25 de Setembro de 2013 12:46
This could be caused by someone accessing... Mika Koivisto 26 de Setembro de 2013 14:37
Hi Mika, I am following up your... Ajit Gauli 29 de Setembro de 2013 12:54
First of all Liferay doesn't support transient... Mika Koivisto 30 de Setembro de 2013 11:30
Did u get this error resolved? If so plz advise. Salman Jan 4 de Dezembro de 2014 13:09
Make sure you are consuming the metadata from... Mika Koivisto 26 de Setembro de 2013 14:35
Hi Mika, Is there saml plugin developed for... Mahesh Panchal 16 de Setembro de 2013 09:30
Hi Mika, I am trying to set up liferay... vaibhav kachare 14 de Outubro de 2013 12:45
Hi Mika, Can you explain the... Ash Gupta 21 de Outubro de 2013 14:43
Pls ignore the previous question, Not what I... Ash Gupta 23 de Outubro de 2013 04:36
Hi Mika, I would still like to know all the... Ash Gupta 23 de Outubro de 2013 04:41
Our documentation team is still working on the... Mika Koivisto 23 de Outubro de 2013 11:00
Hi Mika, Thanks, I think I got most of the... Ash Gupta 24 de Outubro de 2013 11:21
The keystore for SSL can and probably should be... Mika Koivisto 24 de Outubro de 2013 11:29
HI Mika, Thanks! One other question that I... Ash Gupta 24 de Outubro de 2013 17:36
Encrypted assertions are in the roadmap but not... Mika Koivisto 24 de Outubro de 2013 18:39
Hi Mika, Thanks for the confirmation on... Ash Gupta 5 de Novembro de 2013 08:42
Hi Mika, Is the encryption assertion is... Kapil Burange 5 de Novembro de 2014 05:42
It's not available yet. Mika Koivisto 5 de Novembro de 2014 07:34
Thank you so much for quick response......:):)... Kapil Burange 6 de Novembro de 2014 02:01
Hi Folks, the issue I was facing with "Error... vaibhav kachare 31 de Outubro de 2013 13:44
Vaibhav Can you tell me what patch it was, we... Brett Lewinski 8 de Novembro de 2013 16:30
Brett, Patch that we receive was... vaibhav kachare 12 de Novembro de 2013 10:59
thank you,very good article Veera Vasantha Reddy Puram 11 de Fevereiro de 2014 22:19
Hi Mika, I've setup the saml plugin as idp and... Thierry Dagnino 18 de Fevereiro de 2014 13:55
I'm pretty sure that is fixed but I don't... Mika Koivisto 18 de Fevereiro de 2014 14:06
I'm using the version 1.0 for liferay 6.1.2 ga... Thierry Dagnino 18 de Fevereiro de 2014 14:14
Hi , I installed the 1.0.1 version and still... Thierry Dagnino 18 de Fevereiro de 2014 15:10
Have you set portal.ctx property to your portal... Mika Koivisto 25 de Fevereiro de 2014 15:23
I dug deeper and looks like there is really a... Mika Koivisto 26 de Fevereiro de 2014 11:41
Hi Mika, I had opened a ticket with liferay... Thierry Dagnino 26 de Fevereiro de 2014 11:48
Hi MIka, Is there a multiple idp support in the... eskendir Berhan 9 de Junho de 2014 16:47
[...] If you are not familiar with SAML, check... Anônimo 11 de Abril de 2014 05:44
As you state in the blog, Salesforce does not... Thierry Dagnino 25 de Abril de 2014 07:21
I see this same issue in the environment I am... Dwayne Miller 9 de Maio de 2014 07:14
[...] Getting started with Liferay SAML 2.0... Anônimo 21 de Maio de 2014 02:34
Hi Mika, Your "Getting started with Liferay... Chong Hong 2 de Outubro de 2014 03:41
Hi Mika, This is a good starter for this useful... Peter J Shields 14 de Novembro de 2014 07:57

Where can I download the SAML Portlet WAR? -- Thanks
Postado em 28/02/12 11:26.
It's available in Customer Portal like all EE plugins.
Postado em 28/02/12 11:28 em resposta a steven zhao.
Cool! Thanks Mika!
Postado em 28/02/12 13:53.
Thanks Mika. I got the SAML WAR and it works like a charm!. Just one more question. How do I use Liferay as IdP to connect to two SPs? say one is Salesforce and another is Google App. And I would use different Liferay user fields other than email address as SSO subject, or two different email addresses, one for Salesforce, one for Google App.
Postado em 29/02/12 09:37.
Cool..thnx Mika for sharing this..
Postado em 01/03/12 11:19.
Postado em 02/03/12 01:52 em resposta a Jay Patel.
Thanks Mika, Very useful blog.....
Postado em 14/03/12 01:53.
Works very well, however on logout from salesforce, it's redirected to /c/portal/logout
Postado em 20/03/12 04:28 em resposta a Ankit Srivastava.
[...] I blogged about the Identity Provider setup few days ago. See Getting Started with Liferay SAML 2.0 Identity Provider. Flag Please sign in to flag this as inappropriate. Mark as an Answer [...] Read More
Postado em 20/03/12 08:53.
Paul, that's because Salesforce does not support SAML Single Logout profile.
Postado em 20/03/12 08:53 em resposta a Paul ..
Liferay SAML 2.0 IdP support is it only for EE edition. Is it not available for CE.
Can CE be part of SP? Please let us know. Thank you.

-Anand
Postado em 25/03/12 18:18 em resposta a Mika Koivisto.
The SAML plugin is for EE only.
Postado em 26/03/12 14:37 em resposta a Anand Anandan.
I cannot find the SAML portlet war. I looked for the Customer Portal, but could not find that either. Is this available with the 30 day free trial of 6.1 EE? I found the liferay-asb-sso-hook-1.0.1.war, is this what I need? Whenever I hit, http://localhost:8080/c/portal/saml/metadata, it redirects me to http://localhost:8080. Thanks.
Postado em 01/05/12 08:45.
Sorry, I didn't realize the customer portal was for actual customers and not trial users. The sales office gave me access to the necessary jar. Thanks again.
Postado em 01/05/12 10:13 em resposta a Doug Storms.
We tried to use it. It worked nicely, but not for us emoticon We need to have both SAML and plain-authentication available for users. Users must get forwarded to the login-page where they can choose. This was not possible (read: we didn't find out how) to set-up with SAML-plugin. When activated, all logins, are redirected right to the SAML (federatedt) in-logging-page only.
Postado em 01/05/12 23:25 em resposta a Doug Storms.
Can some one walk me thru the steps if we want to use our AD as the identity provider and use Liferay as the Service provider. This may help us to resolve our LDAP issue.
Postado em 15/05/12 16:22 em resposta a Armaz Mellati.
I don't think AD by itself can be SAML IdP but with Microsoft's Active Directory Federation Server (ADFS) 2.0 I think you could do that. The principals are the same but I can't help you with ADFS configuration as I've never used it.
Postado em 15/05/12 16:30 em resposta a vipin bardia.
Hi Mika,

Thanks for prompt response.I will try your suggestion with my seniors and if we succeed , will also update you.

Thanks,
Vipin Bardia
http://vkbardia.blogspot.in
Postado em 15/05/12 17:41 em resposta a Mika Koivisto.
Good Information.Thank you Mika
Postado em 23/05/12 11:32 em resposta a Vipin Bardia.
Armaz Mellati, yeah the current version of the SP is very limited. I'll keep that in mind for the next version as I already had thought about adding support for multiple IdPs so that would fit right in with it.

Thanks everyone for your feedback. I'm always interested in hearing how and with what other SAML IdP or SP you are using it with. Also I'm very interested in hearing what features you think it's missing. Feel free to post here or email me firstname.lastname @ liferay.com
Postado em 23/05/12 11:40 em resposta a Muru Annamalai.
[...] Check this : Link http://www.liferay.com/web/mika.koivisto/blog/-/blogs/12725251 Link]... [...] Read More
Postado em 25/05/12 02:40.
Is the download for the WAR In the "Official Plugins"? When I do a search for SAML I can't find it. I can find the AssureBridge SAML war in the community plugins, but can't find the official one... Point me in the right direction?
Postado em 25/05/12 08:07 em resposta a .
Ryan, this is a EE only plugin so you need to be EE subscriber to get it. For EE subscribers it's found in the customer portal where you download EE version of the portal etc.
Postado em 25/05/12 10:52 em resposta a ryan baldwin.
I have followed the steps to setup liferay as idp but when I try to access

http://localhost:8080/c/portal/saml/metadata

Its redirecting me to home page instead of displaying metadata.
Postado em 27/07/12 03:42 em resposta a Mika Koivisto.
Did you login to Liferay before accessing the page? The URL pointed to a private page I believe
Postado em 30/08/12 07:28 em resposta a Harish Kumar.
I followed these steps to a T and I keep getting:

Error [KeyStoreManagerImpl:122] Unable to load Keystore
java.io.IOException: Keystore was tampered with, or password was incorrect

I have checked numerous times to make sure all information in my portal-ext.properties file is correct and it is. So not sure why I am getting this error.
Postado em 01/11/12 10:13 em resposta a Steven Zhao.
how do i access the source code for SAML portlet plugin?
Postado em 02/01/13 04:41.
HI, Thanks for the plugin - in Service Provider mode, is it capable of getting a user's groups from attributes? I am an EE user, and am potentially interested in using this plugin.

Thanks,

Al
Postado em 26/02/13 05:53.
Mika, do you have a timeline for adding support for multiple IdPs?
Postado em 27/02/13 11:42 em resposta a Mika Koivisto.
To clarify what "multiple IDPs" mean, Mika are you referring to the ability of a single LR server in IDP mode to support using different certificates for signing assertions to different service providers? The SAML plugin in its current state allows me to configure multiple SPs for an IDP Initiated Web SSO scenario - but even if I configure 50 different SPs I would be signing all of those assertions with the same single certificate, right?

I have a client that is requiring that I provide them with a unique certificate for each of their SP entityIDs.

What I believe I would need is a way to configure multiple IDP entity IDs - each with their own keystore certificate - and then a way to associate that specific entityID with a specific SP entityID. That way I could utilize a different certificate for each SSO "route".

Example portal-ext.properties with proposed config changes:

saml.enabled=true
saml.role=idp
saml.metadata.paths=\
/first.service.provider.metadata.xml, \
/second.service.provider.metadata.xml
?? saml.entity.id=https://generic.identity.provider.entity.id ??
saml.idp.enabled=true

# First IDP Entity ID Config
saml.idp.entity.id[https\://first.service.provider.entity.id]=https\://fir­st.identity.provider.entity.id
saml.keystore.credential.password[https\://first.i­dentity.provider.entity.id]=<key-password>

# Second IDP Entity ID Config
saml.idp.entity.id[https\://first.service.provider.entity.id]=https\://fir­st.identity.provider.entity.id
saml.keystore.credential.password[https\://first.i­dentity.provider.entity.id]=<key-password>

Mika:
Is this something that is in the works at all? Or should I accept the fact that I'll need to roll my own to get this kind of functionality. Will try contacting you via email also.

Cheers!
Postado em 26/03/13 14:55 em resposta a Petr Zalesky.
I have followed the steps but when I try to access the url "http://localhost:8080/c/portal/saml/metadata" I got "Internal Server Error"

Any suggestions ?
Postado em 05/06/13 06:44 em resposta a Harish Kumar.
I need it for WSRP (remote portlets) - How to make it work? does liferay support that?
Postado em 01/08/13 03:56.
Haikel, we don't currently support SAML with WSRP although it is on our future roadmap.
Postado em 01/08/13 11:13 em resposta a haikel thamri.
Mika,

I went through the setup steps you outlined, but I am getting a null pointer exception. The authnRequest is coming back null after this line in: com.liferay.saml.profile.WebSsoProfileImpl:

AuthnRequest authnRequest = samlMessageContext.getInboundSAMLMessage();

I am trying to debug why and have this question: do I need to generate a keystore.js from the command line AS WELL AS in the SAML UI? They both seem to be doing the same exactly thing so do I need to do both of them or just from the command line?

Thank you.
Postado em 27/08/13 15:24 em resposta a Mika Koivisto.
If you got UI then use it only because using both will just make a mess. Make sure your Idp knows about your SP and vise versa.
Postado em 27/08/13 15:28 em resposta a Clint Wilde.
MIka,

Thanks for the quick response.

Just to be clear, I am talking about the form to generate a Certificate and Private Key in the General tab of the SAML portlet. I ask because you didn't mention that in your initial instructions, and it seems to require the same inputs as the command line you mentioned.

I did submitted the form, but will that cause a mess if I also specify the jeystore.jks file in portal-ext.properties as you said?


Thanks again,
Clint
Thank you!
Postado em 27/08/13 15:39 em resposta a Mika Koivisto.
When this blog post was written there was no UI. The UI writes to the same keystore specified in the portal-ext.properties if FileSystemKeyStoreManagerImpl is in use and it is the default one for backwards compatibility.
Postado em 28/08/13 11:45 em resposta a Clint Wilde.
Thanks Mika, that helps.

After submitting the form, restarting Tomcat and refreshing the page:

com.liferay.saml.SamlException: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message
at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl­.java:127)
at com.liferay.saml.profile.WebSsoProfileUtil.processAuthnRequest(WebSsoProfileUtil­.java:36)2

Am I missing a parameter somewhere?

Here's the saml props from my portal-ext.properties:

saml.enabled=true
saml.role=idp
saml.entity.id=liferaysamlid­pdemo
saml.require.ssl=false
saml.sign.metadata=true
saml.idp.authn.request.signatu­re.required=true
saml.keystore.path=${liferay.home}/SAML-DATA/keystore.jks
saml.ke­ystore.password=liferay
saml.keystore.type=jks
saml.keystore.credential.password[l­iferaysamlidpdemo]=liferay
saml.metadata.paths=${liferay.home}/SAML-DATA/salesfor­ce-metadata.xml


Thanks,
Clint
Postado em 28/08/13 13:48 em resposta a Mika Koivisto.
Hi Mika,

Is there saml plugin developed for 6.0.12 EE ?
Postado em 16/09/13 09:30.
Hi Mika,
Do you know when was the UI introduced?
I'm on 3.1.20 ee ga2 and I don't have UI.
I have configured SAML sso between 2 instances of LR (IdP and SP) and it seems to be working well to an extent (can't seem to get custom user fields working) but I can't even see SAML portlet anywhere in the portal, except for in portal properties in system administration. Now wondering if my installion is ok or If I'm missing something.
Thanks
Ash
Postado em 17/09/13 15:42 em resposta a Mika Koivisto.
The UI should be included in the next release. When it will be made generally available I don't know the latest should be with 6.2 EE.
Postado em 17/09/13 15:52 em resposta a Ash Gupta.
Hi Mika,
Thanks for the quick reply!

Can I also draw your attention to another question I posted related to SAML here -
https://www.liferay.com/community/forums/-/message_boards/view_message/28886644­

Apologies for crossposting!
Postado em 17/09/13 15:58 em resposta a Mika Koivisto.
Mika,

I apologize in advance for cross-posting, but I wanted to ask an urgent question about this:

Original link here:
https://www.liferay.com/web/armin.dahncke/blog/-/blogs/setting-up-liferay-p­ortal-6-1-ee-as-a-sp

We have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login.

The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?

If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?

Is this completely out of the use case of SAML to do an application login? Please tell me we are not the first ones to be asked to use SAML to do this?

Thanks in advance.
Postado em 18/09/13 08:48 em resposta a Mika Koivisto.
Well it depends what you mean by application login. We don't support ECP profile yet which is something you'd need for example to do SAML based authentication to WSRP. You could use JAAS with SAML but that depends on your use case whether that works or not.
Postado em 18/09/13 11:44 em resposta a Clint Wilde.
Thanks Mika. I just received more clarification. Does the SAML portlet support doing an AttributeQuery and getting a specific attribute from the IDP?

Thanks
Postado em 18/09/13 12:07 em resposta a Mika Koivisto.
AttributeQuery is not supported at this point. You can include attributes in the Response only.
Postado em 18/09/13 12:11 em resposta a Clint Wilde.
ughh... Thanks. General question to gage difficulty: can you give me a rough estimate on how long you would expect a good java java developer (with no knowledge of this plugin and limited knowledge of SAML) to get in and make those changes to support AttributeQuery and are there any external roadblocks that would prevent us from adding that? Again, I appreciate your help.
Postado em 18/09/13 12:23 em resposta a Mika Koivisto.
I took a quick look at the spec to refresh my memory on AttributeQuery and it seems that implementing just that part shouldn't be all that difficult. I'd say that a week should be more than enough for someone that knows SAML. I don't see any roadblocks from adding it and the plugin is fairly extendable. If you don't mind sharing more details on your use case I'd be interested in hearing. You can do that privately by emailing me directly. My email is firstname.lastname at liferay.com
Postado em 18/09/13 14:48 em resposta a Clint Wilde.
Thanks Mika. I may take you up on that when we get closer to implementation.

We have another issue related to setting up an IDP:

18:25:44,140 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Intended message destination endpoint: https://idp.sample.org/c/portal/saml/sso
18:25:44,141 DEBUG [http-bio-8080-exec-14][BaseSAMLMessageDecoder:46] Actual message receiver endpoint: http://idp.sample.org/c/portal/saml/sso

Both SP and IDP are Liferay. When both servers were only listening on HTTP, the connection worked fine, but we just enabled https on the servers and now we are getting this error. We did set saml.require.ssl=true, but we are still seeing the same error. What do we need to do to get past this error?

Thanks in advance.
Postado em 25/09/13 12:39 em resposta a Mika Koivisto.
Hi Mika,

We are also getting this Exception in the logs of the IDP. They don't appear to be related:

Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message
at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedi­rectDeflateDecoder.java:98)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.jav­a:79)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2Mess­ageDecoder.java:70)
at com.liferay.saml.profile.BaseProfile.decodeSamlMessage(BaseProfile.java:73)
at com.liferay.saml.profile.WebSsoProfileImpl.decodeAuthnRequest(WebSsoProfileImpl.­java:284)
at com.liferay.saml.profile.WebSsoProfileImpl.doProcessAuthnRequest(WebSsoProfileIm­pl.java:309)
at com.liferay.saml.profile.WebSsoProfileImpl.processAuthnRequest(WebSsoProfileImpl­.java:119)

Do you have any idea what is causing this? Any tips would be very appreciated!

Thank you!
Postado em 25/09/13 12:46 em resposta a Clint Wilde.
Make sure you are consuming the metadata from https url otherwise it will generate the urls with http.
Postado em 26/09/13 14:35 em resposta a Clint Wilde.
This could be caused by someone accessing /c/portal/saml/sso or /c/portal/saml/acs without correct parameters.
Postado em 26/09/13 14:37 em resposta a Clint Wilde.
Hi Mika,
I am following up your conversation with Clint Wilde. We work in the same team. Now we are getting the response back from IDP, I can see NameID in SAML reponse.

<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">YjY3ODliOGUtNGUwMy0­0MGIwLWEyYmYtZWE5MTk1OTUzYWE1JjNCRTk4MzIwLTA0RkEtNDQ1Ny04MTBFLTgwQkM0MTlGNUE4NA=­=</NameID>

But still getting this exception on our side (we are SP):

00:01:52,509 ERROR [http-bio-8080-exec-30][status_jsp:665] com.liferay.saml.SamlException: Name ID not present in subject
com.liferay.saml.SamlException: Name ID not present in subject
at com.liferay.saml.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.j­ava:486)

Your insight would be much appreciated. Thanks in advance.
Postado em 29/09/13 12:54 em resposta a Mika Koivisto.
First of all Liferay doesn't support transient NameID. Secondly the SubjectConfirmationMethod has to be urn:oasis:names:tc:SAML:2.0:cm:bearer in order for the subject to be accepted.
Postado em 30/09/13 11:30 em resposta a Ajit Gauli.
Hi Mika,

I am trying to set up liferay integration with SAML setup, we have here EE edition and I have received liferay SAML bundle for deployment.
I have performed above step you mentioned configuring liferay as IDP, after performing configuration step 1 and 2, when I try to deploy the package. I receive below error in log

17:58:35,251 ERROR [pool-2-thread-2][HotDeployImpl:191] com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering servlet context listeners for saml-portlet
com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering servlet context listeners for saml-portlet
at com.liferay.portal.kernel.deploy.hot.BaseHotDeployListener.throwHotDeployExcepti­on(BaseHotDeployListener.java:46)
at com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.invokeDepl­oy(ServletContextListenerHotDeployListener.java:37)
at com.liferay.portal.deploy.hot.HotDeployImpl.doFireDeployEvent(HotDeployImpl.java­:188)
at com.liferay.portal.deploy.hot.HotDeployImpl.fireDeployEvent(HotDeployImpl.java:9­6)
at com.liferay.portal.kernel.deploy.hot.HotDeployUtil.fireDeployEvent(HotDeployUtil­.java:27)
at com.liferay.portal.kernel.servlet.PluginContextListener.fireDeployEvent(PluginCo­ntextListener.java:167)
at com.liferay.portal.kernel.servlet.PluginContextListener.doPortalInit(PluginConte­xtListener.java:151)
at com.liferay.portal.kernel.util.BasePortalLifecycle.portalInit(BasePortalLifecycl­e.java:42)
at com.liferay.portal.kernel.util.PortalLifecycleUtil.register(PortalLifecycleUtil.­java:64)
at com.liferay.portal.kernel.util.PortalLifecycleUtil.register(PortalLifecycleUtil.­java:56)
at com.liferay.portal.kernel.util.BasePortalLifecycle.registerPortalLifecycle(BaseP­ortalLifecycle.java:52)
at com.liferay.portal.kernel.servlet.PluginContextListener.contextInitialized(Plugi­nContextListener.java:106)
at com.liferay.portal.kernel.servlet.SecurePluginContextListener.contextInitialized­(SecurePluginContextListener.java:145)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4779­)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5273­)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:895)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:871)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1099)
at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1621)­
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:8­86)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.ClassCastException: com.liferay.portal.kernel.servlet.SecurePluginContextListener cannot be cast to com.liferay.portal.kernel.servlet.SecurePluginContextListener
at com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.doInvokeDe­ploy(ServletContextListenerHotDeployListener.java:62)
at com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.invokeDepl­oy(ServletContextListenerHotDeployListener.java:34)
... 25 more


and when I try to access http://localhost:8080/c/portal/saml/metadata. It throw null pointer exception

19:43:46,895 ERROR [http-bio-8080-exec-7][status_jsp:665] org.opensaml.saml2.metadata.provider.MetadataProviderException: java.lang.NullPointerException
org.opensaml.saml2.metadata.provider.MetadataProvi­derException: java.lang.NullPointerException
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManage­rImpl.java:121)
at com.liferay.saml.metadata.MetadataManagerUtil.getEntityDescriptor(MetadataManage­rUtil.java:48)
at com.liferay.saml.hook.action.MetadataAction.doExecute(MetadataAction.java:64)
at com.liferay.saml.hook.action.MetadataAction.execute(MetadataAction.java:46)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:­37)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav­a:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHand­ler.java:67)
at $Proxy548.execute(Unknown Source)
at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.­java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.­java:176)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:560)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:537)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt­erChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.­java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.j­ava:335)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java­:123)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilte­r.java:294)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPos­tFilter.java:83)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.ja­va:80)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(V­irtualHostFilter.java:216)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDire­ctCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.jav­a:738)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFi­lter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDire­ctCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDire­ctCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDire­ctCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(In­vokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(Invoker­Filter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt­erChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.­java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:2­25)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:1­69)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.jav­a:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118­)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor­.java:999)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractPro­tocol.java:565)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)­
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:8­86)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NullPointerException
at com.liferay.saml.util.OpenSamlUtil.buildEntityDescriptor(OpenSamlUtil.java:246)
at com.liferay.saml.metadata.MetadataGeneratorUtil.buildIdpEntityDescriptor(Metadat­aGeneratorUtil.java:48)
at com.liferay.saml.metadata.MetadataManagerImpl.getEntityDescriptor(MetadataManage­rImpl.java:107)
... 91 more

I appreciate if you can help me to get through this or point to appropriate official guide to follow.

Thanks
V
Postado em 14/10/13 12:45.
Hi Mika,
Can you explain the saml.metadata.paths property.
We are setting up liferay as SP and external pf as IdP. Questions that i have are
1. Is saml.metadata.paths required when setting liferay as SP?
2. Can IdP metadata be consumed from the SAML assertion itself?
3. Can IdP metadata be only updated via a file to liferay?

Appreciate your attention and reply to this or can you point to me to detailed documentation on SAML properties ?

Thanks
Postado em 21/10/13 14:43.
Pls ignore the previous question, Not what I intended to ask. Is there a way to delete questions from here by users posted by them?
Postado em 23/10/13 04:36 em resposta a Ash Gupta.
Hi Mika,
I would still like to know all the saml related properties in one place, is it available someplace ?
Postado em 23/10/13 04:41 em resposta a Ash Gupta.
Our documentation team is still working on the SAML portlet documentation. All the properties you need are described in the few blog posts there are about SAML. Once we release the new version you won't need any properties because everything will be configured from the control panel.
Postado em 23/10/13 11:00 em resposta a Ash Gupta.
Hi Mika,
Thanks, I think I got most of the properties. I havea separate question since I seem to be hitting https://support.liferay.com/browse/LPS-25238 on a different installation trying to setup a Liferay as SP.

Is it important to use the same keystore generated for Liferay saml for the ssl configuration of Tomcat or can these be different ?
Postado em 24/10/13 11:21 em resposta a Mika Koivisto.
The keystore for SSL can and probably should be different from SAML keystore.
Postado em 24/10/13 11:29 em resposta a Ash Gupta.
HI Mika,
Thanks!
One other question that I don't seem to get definitive answer on. Can you confirm if the plugin supports encrytped SAML assertion (saml:EncryptedAssertion) in addition to being signed ?
Postado em 24/10/13 17:36 em resposta a Mika Koivisto.
Encrypted assertions are in the roadmap but not currently supported.
Postado em 24/10/13 18:39 em resposta a Ash Gupta.
Hi Folks, the issue I was facing with "Error registering servlet context listeners for saml-portlet" was resolved with Hotflix provided by liferay. Although its not available for community edition. only for EE
Postado em 31/10/13 13:44.
Hi Mika,
Thanks for the confirmation on encryptedAssertion.
I am now wondering if encrypted attribute values, not the whole assertion is supported or not. Can you please confirm that?
If encrypted values are supported, how do you configure the keys/certificates to decrypt the values?
Postado em 05/11/13 08:42 em resposta a Mika Koivisto.
Vaibhav

Can you tell me what patch it was, we are having the same issue.

Thanks in advance!
Brett
Postado em 08/11/13 16:30 em resposta a vaibhav kachare.
Brett,
Patch that we receive was liferay-hotfix-1552-6120, if you have EE licence you should be able to issue ticket to liferay support.

Regards
Vaibhav
Postado em 12/11/13 10:59 em resposta a Brett Lewinski.
thank you,very good article
Postado em 11/02/14 22:19.
Hi Mika,

I've setup the saml plugin as idp and it works fine. I'm able to access the metadata through https://myhost/portail/c/portal/saml/metadata .
Notice portail is my portal context.

However in the metadata , I can see that the bindings are in http and the portal context (root) is missing .

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://myhost/c/portal/saml/sso"/>

Am I missing a patch or is this a bug ?

Thanks.
Postado em 18/02/14 13:55.
I'm pretty sure that is fixed but I don't remember the ticket number. If it is fixed it'll be in the latest version of the plugin.
Postado em 18/02/14 14:06 em resposta a Thierry Dagnino.
I'm using the version 1.0 for liferay 6.1.2 ga 2 EE . I'll try the 1.0.1.
Thanks
Postado em 18/02/14 14:14 em resposta a Mika Koivisto.
Hi ,

I installed the 1.0.1 version and still have the problem with the paths in the bindings.
Any ideas ?

Thanks.
Postado em 18/02/14 15:10 em resposta a Thierry Dagnino.
Have you set portal.ctx property to your portal context path in portal-ext.properties?
Postado em 25/02/14 15:23 em resposta a Thierry Dagnino.
I dug deeper and looks like there is really a problem. I've created https://issues.liferay.com/browse/LPS-44619 and will soon fix it.
Postado em 26/02/14 11:41 em resposta a Mika Koivisto.
Hi Mika,

I had opened a ticket with liferay support and there is a request for change with the engeneering team. I don't know if its you that will pick it up.

It is Brian Suh who has escalated the issue if you want to contact him.

Thanks.
Postado em 26/02/14 11:48 em resposta a Mika Koivisto.
[...] If you are not familiar with SAML, check out awesome blog by Mika Koivisto. [...] Read More
Postado em 11/04/14 05:44.
As you state in the blog, Salesforce does not support the single logout profile.
When I logout from the portal , liferay tries to do a logout at salesforce.com . The logout at salesforce fails and a page is displayed from the portal saying "All service providers are processed. Continuing sign out automatically in 5 seconds" and giving a link to retry the logout at salesforce.
Is there a way to not display this page since we know that salesforce.com will never process the logout request ?
In other words, is there a way to tell liferay that single logout is not supported by a SP ?
Thanks
Postado em 25/04/14 07:21.
I see this same issue in the environment I am setting up. In my case, I simply don't want a logout in portal to log user off of remote app. But it does seem to try, even though the Metadata from the SP does not have a /SLO endpoint. I have configured the SP to only support Local Logout. So the request from portal to try to log out is very fast, but it still indicates a failure, and nothing is captured in the logs.
Postado em 09/05/14 07:14 em resposta a Thierry Dagnino.
[...] Getting started with Liferay SAML 2.0 Identity Provider - Blog Liferay 6.1 EE comes with SAML 2.0 Identity Provider and Service Provider support via SAML plugin. If you are not familiar with SAML... [...] Read More
Postado em 21/05/14 02:34.
Hi MIka, Is there a multiple idp support in the current saml release for liferay 6.2?
Postado em 09/06/14 16:47 em resposta a Mika Koivisto.
Has it worked for you, i am getting the following errors " Unable to process SAML request "when i try to access the URL http://localhost:8080/c/portal/saml/metadata, in the logs the error is "Credential is Required"
Postado em 08/07/14 23:22 em resposta a Imad T..
Hi Mika,
thanks for your post.
i am able to use the single sign on functionality with salesforce with the admin user test@liferay.com
but whenever i try to sign in with another user(imported from LDAP) this functionality is not working i am getting error "your login attempt with single sign on account have failed,please contact your salesforce administrator"
Postado em 16/09/14 05:22 em resposta a Mika Koivisto.
Hi,

One more question i want to ask is the user which is getting authenticated using liferay sign up this particular user have to be registered on saleforce.com
means my use case is
we have a liferay integrated with LDAP and we would like SSO LDAP users in salesforce.com without registering those users in salesforce.com
we just want to create authentication certificate for salesforce.com
how can we achieve above functionality.
thanks
kapil
Postado em 17/09/14 05:05 em resposta a Mika Koivisto.
You'd need to provision the users from your LDAP to Salesforce or to configure Salesforce to automatically create users from attributes provided in SAML Assertion.
Postado em 17/09/14 05:12 em resposta a Kapil Burange.
is this the only way to register ldap user in sales force or can we generate the keystore with ldap group which contains all the users and register that certificate in salesforce....
Postado em 17/09/14 05:19 em resposta a Mika Koivisto.
we cannot allow LDAP connectivity to Salesforce and would like to use SAML assertion for creating users. How to do that?
and one thing we want to add some custom fields from LDAP to be inserted in the SAML how can we do that.
please suggest
thanks
Kapil
Postado em 17/09/14 05:34 em resposta a Mika Koivisto.
Hi Mika,
thanks for the reply.
i just want to ask that on salesforce end how can we check the field firstname lastname email uuid and screenname and on liferay end we have configured
saml.idp.metadata.attribute.names[https://saml.salesforce.com]=screenName,firstN­ame,lastName,emailAddress,uuid this property
please reply because i am kind of stuck on this.
Postado em 24/09/14 07:04 em resposta a Mika Koivisto.
Hi Mika,

Your "Getting started with Liferay SAML 2.0 Identity Provider" document is very clear and well written. I was able to follow the procedures and successfully setup the SAML integration between Liferay and Salesforce.

However, for another scenario whereby there are more than 1 Salesforce custom domains e.g. customers and partners domains, I presume the 2 domains are considered as different service providers.

What would be the configuration required to support multiple service providers in this case?

Thanks.

Regards.
Postado em 02/10/14 03:41.
Hi Mika,

Is the encryption assertion is available now. I am using liferay 6.2 EE latest version.
and if it is available please let us know how to achieve it...
or what properties we should use..
Please reply.......emoticon
Postado em 05/11/14 05:42 em resposta a Mika Koivisto.
It's not available yet.
Postado em 05/11/14 07:34 em resposta a Kapil Burange.
Thank you so much for quick response......emoticonemoticon
It seems that saml 2.0 has attribute encryptions as we can able to see following attributes in saml response
<dsemoticonigestMethod Algorithm="............/"> for xmldsign#sha1
<ds:SignatureMethod Algorithm="............/"> for xmldsign#sha1
please confirm and if possible please explain these attributes.....
Thanks In Advance emoticon
Really appreciate your response.....emoticon
Postado em 06/11/14 02:01 em resposta a Mika Koivisto.
Hi Mika,
This is a good starter for this useful tool. It would also be helpful to have a full listing of the SAML2 specific properties that can be used. In my case I need something to allow the use of the web.server.protocol property to be used independently from the SAML settings. I've outlined the issue in a separate thread ...

https://www.liferay.com/community/forums/-/message_boards/message/45352086
Postado em 14/11/14 07:57.
Hi Mika,

can you please tell how to pass RelayState in the link
my relay state value will be(tc=E1001)
/c/portal/saml/sso?entityId=https://saml.salesforce.com&RelayState=t­c=E1001

Regards
Kapil
Postado em 20/11/14 03:58 em resposta a Mika Koivisto.
Did u get this error resolved? If so plz advise.
Postado em 04/12/14 13:09 em resposta a Clint Wilde.