Our Work

200+ Enterprises across globally trust KTree for their Web & Mobile application Development needs.See What We Do

Search
Request For Quote
Read & Discover

Liferay OneLogin & SAML Integration

Updated today

OneLogin Configuration

Create an app connector in OneLogin

  • Access OneLogin.
  • Go to Apps > Add Apps.
  • Search for SAML Test Connector.
  • Select the SAML Test Connector (IdP w/ attr) app.

Define identity provider values in onelogin.saml.properties

In this step, select the identity provider values for your app so it can communicate with OneLogin.

  • Open onelogin.saml.properties (/modules/saml_sso/src/main/resources/onelogin.saml.properties).
  • Select the SSO tab in the OneLogin app connector UI.
  • Copy values from the SSO tab and paste them into the ‘idp’ (identity provider, the parameters that start with onelogin.saml2.idp) section of onelogin.saml.properties, as shown below.

settings.json Location

Issuer URL

onelogin.saml2.idp.entityid

SAML 2.0 Endpoint (HTTP)

onelogin.saml2.idp.single_sign_on_service.url

SLO Endpoint (HTTP)

onelogin.saml2.idp.single_logout_service.url

X.509 Certificate > View Details

onelogin.saml2.idp.x509cert

  • Save onelogin.saml.properties.

Define service provider values in onelogin.saml.properties

In this step, define the service provider values to identify your app to OneLogin. To do this:

  • Open onelogin.saml.properties ((/modules/saml_sso/src/main/resources/onelogin.saml.properties).
  • The following values are related to liferay instance, change accordingly
    1. onelogin.saml2.sp.entityid = https://yourdomain.com
    2. onelogin.saml2.sp.assertion_consumer_service.url = https://yourdomain.com 
    3. onelogin.saml2.sp.single_logout_service.url = https://yourdomain.com/c/portal/saml/sls 
  • For the onelogin.saml2.sp.nameidformat, keep emailAddress.
  • Save onelogin.saml.properties.
  • In the OneLogin app connector UI, select the Configuration tab.
  • Copy values from onelogin.saml.properties into the Configuration tab fields as shown below.

Copy settings.json Value

to

Configuration Tab Field

onelogin.saml2.sp.assertion_consumer_service.url

  • ACS (Consumer) URL
  • Recipient

onelogin.saml2.sp.single_logout_service.url

Single Logout URL

onelogin.saml2.sp.entityid

Audience

  • In the OneLogin app connector UI, open from the previous task, select the Configuration tab.
  • You can leave RelayState blank. It respects the value sent by the Service Provider.
  • Set ACS (Consumer) URL Validator to .*.
  • Once you verify that the connection between your app and OneLogin is working, set this value to perform an actual validation.
  • Your Configuration tab should look like this:

  • Click save

Liferay SAML Module

Liferay Login and Logout Filter

  • URL patterns
    1. /c/portal/login
    2. /c/portal/logout
  • Class : com.ktree.saml.SAMLLoginLogoutFilter
  • It handles the login and logout and redirects to onelogin for authentication
  • It checks the SAML_Login attribute in the session, if it is available then it will be forwarded to AutoLogin or else it will be redirected to onelogin for authentication

@Override
protected void processFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
     throws Exception {
  logger.info("======== Login Logout Filter ==========");
  HttpSession session = request.getSession();

  String pathInfo = request.getPathInfo();

  Object forceLogout = session.getAttribute("SAML_FORCE_LOGOUT");
  if (forceLogout != null) {
     session.removeAttribute("SAML_FORCE_LOGOUT");
     String logoutUrl = "https://secure2.ktree.org/";
     response.sendRedirect(logoutUrl);
     return;
  }

  if (pathInfo.contains("/portal/logout")) {
     try {
        String relayState = PropsReader.get("saml.default.landing.page");
        Auth auth = new Auth(request, response);
        auth.logout(relayState);
        session.invalidate();
     } catch (Exception e) {
        logger.error(e, e);
     }
     return;
  } else {
     Object login = session.getAttribute("SAML_LOGIN");
     if (Validator.isNotNull(login)) {
        processFilter(SAMLLoginLogoutFilter.class.getName(), request, response, filterChain);
        return;
     }

     String redirectUrl = request.getParameter("redirect");
     Auth auth = new Auth(request, response);
     auth.login(redirectUrl);
     return;
  }
}

Assertion Consumer Service (ACS URL)

  • URL pattern /c/portal/saml/acs
  • Class Name : com.ktree.saml.SAMLAcsService
  • This is Liferay Filter and it will be triggered from onelogin after login
  • It validates the user authentication by using one login java sdk
  • If the login is valid then it sets the login id to the session which will be used in the AutoLogin of Liferay
@Override
  protected void processFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws Exception {
     logger.info("======== SAML ACS ==========");
     Auth auth = new Auth(request, response);
     auth.processResponse();
     String nameId = auth.getNameId();  
    
     if (auth.isAuthenticated()) {
        logger.info("==> User logged in,setting attribute for AutoLogin");
        request.getSession().setAttribute("SAML_LOGIN", nameId);
        String relayState = ParamUtil.getString(request, "RelayState");
        if (relayState.isEmpty() || relayState.endsWith("/c/portal/login")) {
           relayState = PropsReader.get("saml.default.landing.page");
        }
        response.sendRedirect(relayState);
     }
  }

Single Logout Service (SLS)

  • URL pattern /c/portal/saml/acs
  • Class Name : com.ktree.saml.SAMLSlsService
  • This filter responsible for processing logout request
  • This fiter will be triggered from one login after logout

@Override
protected void processFilter(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
     throws Exception {
  logger.info("======== SAML SLS ==========");
  Auth auth = new Auth(request, response);
  auth.processSLO();
  List<String> errors = auth.getErrors();
  if (errors.isEmpty()) {
     logger.info("User Successfully logged out");
  }
  String relayState = ParamUtil.getString(request, "RelayState");
  if (relayState.isEmpty() || relayState.endsWith("/c/portal/login")) {
     relayState = PropsReader.get("saml.default.landing.page");
  }
  response.sendRedirect(relayState);
}

Auto Login for SAML

  • It plays an important role to authenticate user liferay side
  • It gets the nameId from the session which is set by the ACS
  • Fetch the user from nameId then gives user information to liferay to create user for respective user

@Override
protected String[] doLogin(
     HttpServletRequest request, HttpServletResponse response)
  throws Exception {
  HttpSession session = request.getSession();

  long companyId = _portal.getCompanyId(request);

  String login = (String)session.getAttribute("SAML_LOGIN");
  if(login == null){
     return null;
  }
  logger.info("========SAML Auto Login==========");
 
  User  user = _userLocalService.getUserByEmailAddress(
           companyId, login);

  addRedirect(request);

  String[] credentials = new String[3];

  credentials[0] = String.valueOf(user.getUserId());
  credentials[1] = user.getPassword();
  credentials[2] = Boolean.TRUE.toString();

  return credentials;
}

API Credential

  • Login as Administrator to onelogin
  • Navigate to https://.onelogin.com/admin or Click on Administrator option.

  • Choose API Credentials under DEVELOPERS

  • Click the Save button to save the API credentials and then one popup will be displayed with Credentials (Client Secret and Client Id)

Looking for Liferay Developer?

KTree is the best offshore Liferay development company with extensive experience in Liferay Portal Development services along with Upgrade & Migration. Hire Liferay developers or Liferay development services from LiferayDeveloper.

Request For Quote

Related Posts

Tags

    No tag results found for this post

Copyrights © 2008 -2018  KTree .com ® All Rights Reserved.