« Back

Setting up Liferay Portal 6.1 EE as a SP

Company Blogs May 24, 2012 By Armin Cyrus Dahncke Staff


If you have followed the IdP setup you will find the setup steps very similar.
First we need to setup a keystore, we gonna use the java keytool to create a keystore we can easily use from command line.
It is cruzial to create the key with the name of the SP-entity we want to use in the portal-ext.properties. In this case we will use liferaysamlspdemo
To have the keystore in a directory we can adress from liferay properties we can for ease of use execute the command in the liferay data directory
keytool -genkey -keyalg RSA -alias liferaysamlspdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
The command line output looks somewhat like
MacBook-Pro:data xxx$ keytool -genkey -keyalg RSA -alias liferaysamlspdemo -keystore keystore.jks -storepass liferay -validity 360 -keysize 2048
What is your first and last name?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your organizational unit?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your organization?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your City or Locality?
  [Unknown]:  Liferay SAML SP Demo
What is the name of your State or Province?
  [Unknown]:  Liferay SAML SP Demo
What is the two-letter country code for this unit?
  [Unknown]:  XX
Is CN=Liferay SAML SP Demo, OU=Liferay SAML SP Demo, O=Liferay SAML SP Demo, L=Liferay SAML SP Demo, ST=Liferay SAML SP Demo, C=XX correct?
  [no]:  yes
Enter key password for <liferaysamlspdemo>
(RETURN if same as keystore password):  
Re-enter new password: 
We need to bootstrap the SAML plugin in the portal-ext.properties
# Enable SAML Plugin
# Set the role to sp on the Service Provider side
# Set the SAML entity id, it matches the alias we used to setup the keystore
# The metadata location for Identity Provider
We also need a refererence to the keystore we setup earlier, therefore we need to add the following to portal-ext.properties
# Keystore
# keystore type
# location of the keystore
# pwd for accessing the keystore
# pwd for accessing the certificate of the entity in the keystore
Finally we need to configure the Service Provider itsself there we add the following to portal-ext.properties
# Service Provider
# Service Provider SAML entity id
# Set the SAML authentication mandatory
# disable signatures for the demo
# timeout setting for IdP clock deviation in ms
# Session keep alive url
# Service Provider user attribute mappings
After applying these settings we can deploy the SAML-portlet plugin. I deployed first to the IDP and then to the SP.
This url will initiate the SAML IdP based login process check out if it works.
p.s. This is a demo showing of the SAML 2 connection between 2 liferay instances on separate tomcats. Where one tomcat is the IdP on port 8080 and the SP is on a different liferay portal tomcat port 7080. 
Threaded Replies Author Date
[...] Liferay 6.1 EE comes with SAML 2.0... Anonymous May 25, 2012 11:10 AM
We got the 6.1 EE SAML plugin working all... Alberto Rama July 27, 2012 2:37 PM
Try to set on the SP ... Armin Cyrus Dahncke July 27, 2012 3:28 PM
i dont know how to develop single sign on,... Amar k August 5, 2012 3:31 AM
HI - in Service Provider mode, is it capable of... Al Faller February 28, 2013 7:09 AM
We have a client who needs to implement Liferay... Clint Wilde September 18, 2013 7:43 AM
Is it important to use the same keystore... Ash Gupta October 24, 2013 11:17 AM
I got Liferay 6.2 EE to work as SAML SP, but... Advait Trivedi April 29, 2014 4:00 PM
Perhaps it is obvious (it wasn't to me) but it... Denney Liptak May 19, 2014 2:24 PM
I am using Liferay 6.2 EE. After configuring... Eason Chen February 16, 2015 12:52 AM

[...] Liferay 6.1 EE comes with SAML 2.0 Identity Provider and Service Provider support via SAML plugin. If you are not familiar with SAML check out my Introduction to SAML presentation slides. In this... [...] Read More
Posted on 5/25/12 11:10 AM.
We got the 6.1 EE SAML plugin working all right, but the default behavior seems to ask the user to set password and security question before provisioning it. Is there a way to prevent this? Also we would like to disable local login and force the app to redirect to the IdP login page when authentication is required, what would be the best way to do it?
Posted on 7/27/12 2:37 PM.
Try to set on the SP


in portal ext properties and modify the default password policy so that it requires no password change.
You can disable the sign in portlet in plugins configuration and then also add your signurl in portal ext properties like this

Posted on 7/27/12 3:28 PM in reply to Alberto Rama.
i dont know how to develop single sign on, please help me?
Posted on 8/5/12 3:31 AM.
HI - in Service Provider mode, is it capable of getting a user's groups from attributes? I am an EE user, and am potentially interested in using this plugin.


Posted on 2/28/13 7:09 AM.
We have a client who needs to implement Liferay as an SP for BOTH user login *and application login. We are already implementing SAML plugin for user login.

The Application login will be Liferay(SP) logging in to the IDP as an application user, not as a specific user so we need both. Does the SAML plugin have any support for this out of the box?

If not, would we need a BOTH a SAML metadata IDP XML for the user login *AND another SAML metadata IDP XML for the application login?

Posted on 9/18/13 7:43 AM.
Is it important to use the same keystore generated here for the ssl configuration of Tomcat or can this be different ?
Posted on 10/24/13 11:17 AM.
I got Liferay 6.2 EE to work as SAML SP, but after login I was inspecting cookies that get created. I noticed that COMPANY_ID and ID cookies are not created when I login using SAML. But when I login using Liferay's internal login, these cookies gets created. Is there a way for me to get these cookies when I login using SAML ?

Posted on 4/29/14 4:00 PM.
Perhaps it is obvious (it wasn't to me) but it should be noted that you need to add the IdP certificate to the Liferay SP keystore. I erroneously thought the IdP metadata import/link (the value of parameter: saml.metadata.paths) was sufficient to establish trust but this was not the case.

Without importing the IdP certificate, the SAMLResponse signature will be verified but it will be rejected due to lack of 'trust'.

I'm not sure if this is required but the alias you give the certificate during import should match the entityID assertion by the IdP.
For example:
keytool.exe -alias <IdP_entityID> -importcert -file <IdPcert.cer> -keystore keystore.jks
where keystore.jks is the same SP keystore created at the beginning of this post.

If the name/alias didn't match, I'm not sure it'd successfully lookup the certificate.
Posted on 5/19/14 2:24 PM.
I am using Liferay 6.2 EE. After configuring the same as this blog, my portal is configured with the SP value (http://localhost:8080/group/control_panel/manage/-/server/properties/portal-pro­perties). However, when I browse to the SP Metadata URL, I will be redirected back to portal URL, cannot download SP Metadata, why?
Posted on 2/16/15 12:52 AM.