Liferay and Single Sign On (SSO) – Whats here and whats coming

SSO within Liferay can be implemented via SAML, OAuth, CAS or OpenID.  Liferay has supported CAS and OpenID for a couple of versions.  SAML is new in 6.1 and OAuth is in the development stage.

Liferay Portal supports SAML 2.0 through a plug-in.  The plug-in is available for EE version and is not available in the free community edition of Liferay Portal.  Based on the SAML specification, Liferay can be either an identity provider or a service provider.

For OAuth, Liferay can act as a OAuth client, but not as a service provider.  The service provider will be available in Liferay 6.2.  OAuth is implemented as a portlet.

Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

Liferay built the SAML 2.0 plug-in based on OpenSAML.  It also contains the code necessary to provide SOAP Based Single Logout, which will log you out of each system that you had previously SSO’d into.

In the current version of Liferay (6.1), configuration is done through preferences and xml files.  This implementation can cause problems issues when changing the server due to storing some of the data in the preferences.

For SAML, Liferay 6.2 adds the following features

• Adds a GUI to configure endpoints
• Caching of Metadata ( this is a problem in 6.1 now because data is pre-loaded for >50 endpoints).
• Manual reload of Metadata
• HTTP based Single Logout (only SOAP in 6.1)
• Assertions containing user
  • Sites (in 6.1)
  • Site Roles
  • User Group
  • Roles
  • Expando (in 6.1)

Liferay suggest that if you are going to use SAML, then have users go to Liferay first to login, don’t go to the client (service provider) first.   When going to the a service provider, extra steps are required to go back to Liferay for the process.

OAuth is configured through the OAuth portlet.  Liferay’s implementation of OAuth is based on the OpenSocial specifications.  As mentioned, OAuth is not available in Liferay 6.1, so it is still undergoing development.