留言板

  1. 主页
  2. Development
  3. SAML2 plugin : id on on another construct

SAML2 plugin : id on on another construct

thumbnail
Jack Bakker,修改在10 年前。

SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
I have a Liferay portal where login is by screenname ; looking to use SAML2 plugin (IdP initiated) to id on one of the below


When a client builds an identity provider, they must provide us with one of three sets of identifying client information:
-	The member’s SIN and last name, OR:
-	The member’s employee number and last name, OR:
-	The member’s demographic attributes: first and last name, city, date of birth, employment province code and postal code.


(btw in Canada, SIN = Social Insurance Number)

Is something like this a configurable with the SAML2 plugin or does it require custom coding ?
thumbnail
Mika Koivisto,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Legend 帖子: 1519 加入日期: 06-8-7 最近的帖子
Is Liferay in this scenario the IdP or SP?

Liferay as SP can identify the user from NameID only however it's not too hard to extend that to include attributes. Liferay as IdP can use emailAddress, screenName, expando attribute and static value as the NameID it can also include expando attributes as attributes in the Response.
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
Mika Koivisto:
Is Liferay in this scenario the IdP or SP?

IdP

Mika Koivisto:
Liferay as SP can identify the user from NameID only however it's not too hard to extend that to include attributes.


Mika Koivisto:
Liferay as IdP can use emailAddress, screenName, expando attribute and static value as the NameID it can also include expando attributes as attributes in the Response.


where can I learn more how to ?

--

as an aside: For another solution, I am doing screenName (a.k.a. username) thru IdP initiated - intercepting the URL at likes of below to create a simple link within Liferay portal.

https://www.somedomain.com/c/portal/saml/sso?SAMLRequest=blahblah

to intercept, took creating a Liferay SP, shutting down my WAN access on SP side (dev) then hitting signin from SP and seeing the link that went nowhere, grab that and paste into link on IdP page for further to connect to external non-Liferay SP as IdP initiated

--

but how to for other id my main need right now, thanks Mika
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
Mika Koivisto:
Liferay as IdP can use emailAddress, screenName, expando attribute and static value as the NameID it can also include expando attributes as attributes in the Response.


So I am wondering what would be involved to use 'expando attribute' + lastname (the two concatenated)
thumbnail
Mika Koivisto,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Legend 帖子: 1519 加入日期: 06-8-7 最近的帖子
Using Liferay as IdP you can initiate the SSO to the SP using URL like http://localhost:8080/c/portal/saml/sso?entityId=<sp entity Id>&RelayState=<url on sp where to go after logon>
RelayState is optional. Liferay SP will default it to the home page of the portal.

So I am wondering what would be involved to use 'expando attribute' + lastname (the two concatenated)


We don't support concatenation but you can extend com.liferay.saml.resolver.DefaultNameIdResolver and override getNameIdValue() method. Then to use that class as the NameID resolver you need to add a property to portal-ext.properties

saml.idp.metadata.name.id.resolver=com.example.saml.resolver.MyNameIdResolver
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
Mika Koivisto:
Using Liferay as IdP you can initiate the SSO to the SP using URL like http://localhost:8080/c/portal/saml/sso?entityId=<sp entity Id>&RelayState=<url on sp where to go after logon>
RelayState is optional. Liferay SP will default it to the home page of the portal.


well that's a lot easier than the long garfunkel link I have been using: ?SAMLRequest=muchblahblah&relayState=notRequired&SigAlg=moreblahblah&Signature=evenmore

Jack Bakker:
So I am wondering what would be involved to use 'expando attribute' + lastname (the two concatenated)


Mika Koivisto:

We don't support concatenation but you can extend com.liferay.saml.resolver.DefaultNameIdResolver and override getNameIdValue() method. Then to use that class as the NameID resolver you need to add a property to portal-ext.properties


saml.idp.metadata.name.id.resolver=com.example.saml.resolver.MyNameIdResolver


what type of plugin for this ?
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
Jack Bakker:

what type of plugin for this ?


I guess I can put the override in a jar and put in /lib/ext or in the saml portlet lib ?

is saml portlet source available ?
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
I now have source for saml ... from EE marketplace ...
thumbnail
Mika Koivisto,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Legend 帖子: 1519 加入日期: 06-8-7 最近的帖子
You should extend the saml-portlet similarly to how we've done cas-web. It basically does a overlay on the war file.
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
Thanks Mika, am narrowing in
thumbnail
Jack Bakker,修改在10 年前。

RE: SAML2 plugin : id on on another construct

Liferay Master 帖子: 978 加入日期: 10-1-3 最近的帖子
Would be nice to be able to hook plugin portlets...