Blog Post


Liferay 7 DXP + SAML single sign-on (SSO)

Hi there, this post dedicated to the topic of SSO authentication within Liferay 7 DXP version. Single sign-on is a pretty popular property that allows users to access multiple applications using same credentials without re-login. And SAML is a language that allows cross-party communications to validate and authenticate a user.

To make SSO work our Liferay instance will be configured as an Identity Provider (IdP in terms of SAML) and a SimpleSAMLphp app that will serve as a Service Provider (SP).

1. As a first step after SimpleSAMLphp was installed, we need to configure our custom Authentication Source which is a SP actually.

An authentication source is responsible for authenticating the user, typically by getting a username and password, and looking it up in some sort of database.

Our Authentication Source should be added to /simplesamlphp/config/authsources.php:

'lr1dev-sp' => array(

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => null,
    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'lr1dev-saml-iprovider',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,
    'privatekey' => 'signmessages.pem',
    'certificate' => 'signmessages.crt',

Note: privatekey and certificate are custom-generated keys that are optional, but required for the case if you want to allow user to perform logout using IdP. Otherwise Request not signed exception will be thrown. See sign.logout in the next section.

2. In this step we should specify Entity Id of the target IdP (Liferay is our case) our SP will talk to. This entity Id is placed in /simplesamlphp/metadata/saml20-idp-remote.php:

$metadata['lr1dev-saml-iprovider'] = array(
    'SingleSignOnService'  => '',
    'SingleLogoutService'  => '',
    'certificate'          => 'custom-liferay-saml-iprovider.pem',
    'sign.logout' => true,

Here the ‘certificate’ attribute is optional, it may be used in some cases. In short – it’s a certificate for current IdP.

On this step, the configuration of SimpleSAMLapp is completed, now we can proceed to Liferay part.

3. We assume that Liferay SAML 2.0 Provider plugin is already installed within the Liferay instance. Now we need to configure it to server as an IdP. Navigate to Liferay SAML configuration, General tab, specify the id of the new IdP + generate private key/certificate (the generation of these keys is required):


4. Identity Provider tab should look so:

image      image

If there’s a need to retrieve custom fields (expandos) from IdP, we can add the following to the “Attributes” e.g. “expando:phone-number”.

5. Service provider tab. Add our source service provider (lr1dev-sp) metadata URL:


Alright, we are done with the configuration, it’s time to write a simple PHP page that will use our Service provider to authenticate user against Liferay IdP. Here’s the code:

<!DOCTYPE html>
        <title>SAML Login</title>

<h1>SAML test login</h1>



#select our authentication source:
$as = new \SimpleSAML\Auth\Simple('lr1dev-sp');

#request authentication

#print credentials
$attributes = $as->getAttributes();

echo '<br/>Email address <b>' . $attributes["emailAddress"][0] . '</b> successfully authenticated on Liferay and logged back into application server.<br/><br/>';


When we launch this app, we’ll be instantly redirected to Liferay login page and after successful login, we are redirected back to the app, where some Liferay user attributes are rendered.

That’s it, we configured Liferay 7 DXP coupled with the simpleSAMLphp app. I hope this post was useful.

Comments (0)

Tags: liferay


Leave a Comment