You will need Apache Fediz version 1.3.0 or higher, if you want to setup this use case by yourself
Install Liferay Portal with Fediz Plugin
First download and extract Liferay bundled with Tomcat. (I used liferay-portal-6.2-ce-ga5)Enable HTTPs port in
liferay-portal-6.2-ce-ga5/tomcat-7.0.62/conf/server.xml
<Server port="8005" shutdown="SHUTDOWN"> . . . <Service name="Catalina"> . . . <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="idp-ssl-key.jks" keystorePass="tompass" clientAuth="false" sslProtocol="TLS" /> </Service> </Server>I reused the
idp-ssl-key.jks
file from the IDP Tomcat to keep things simple. Of course you can also use a different keystore. Your keystore should be stored in your tomcat root folder liferay-portal-6.2-ce-ga5/tomcat-7.0.62/
.Now you can start Liferay for a first setup. Simply execute
liferay-portal-6.2-ce-ga5/tomcat-7.0.62/bin/startup.sh
After Tomcat startup is complete you can invoke the server page at https://localhost:8443/
.I continued with the default values (except for the Email address) and simply clicked "Finish Configuration". After that you have to wait until Liferay installation is complete. Next you will see the license confirmation page, which you need to confirm. After that you can set your password reminder as well as the administration password.
The OpenID Connect Extension which we will install in the following section requires a user group UnityUser which will be applied for all new users when then login the very first time to the portal. Therefore we must create this user group first under
control panel -> Users -> User Groups -> Add
Your Liferay Portal is now up and running so lets continue next on enabling OpenID Connect for your portal.
Register Liferay Portal at OIDC Provider
After starting your OIDC Service, you can register the Liferay Portal under the following URL: https://localhost:9443/fediz-oidc/clients/register.You will need the client Identifier as well as the Client Secret in the following section.
Install OpenIdConnect Extension for Liferay
You will need the OpenIdConnectLiferay extension, which you can clone from Github. Further information on installing this extension can be found at the authors webpage.You'll need to update the configuration within
it.infn.ct.security.liferay.openidconnect.utils.Authenticator
public Authenticator(State state) { authC = new ClientSecretBasic(new ClientID("hLiSIY6b1X_0Jg"), new Secret("llPySiI1aEwyIgsnyBu6aA")); this.state = state; try { callback = new URI("https://localhost:8443/c/portal/login"); oauthS = new URI("https://localhost:9443/fediz-oidc/idp/authorize"); tokenS = new URI("https://localhost:9443/fediz-oidc/oauth2/token"); userS = new URI("https://localhost:9443/fediz-oidc/users/userinfo"); tokenCertSign = new URI("https://localhost:9443/fediz-oidc/jwk/keys"); issuer = "accounts.fediz.com"; aud = "hLiSIY6b1X_0Jg"; } catch (URISyntaxException ex) { _log.error(ex); } }
Now you can build and deploy this extension.
$ mvn clean install
You will find a jar file with all extensions at
OpenIdConnectLiferay/target/OpenIdConnectLiferay-0.1-jar-with-dependencies.jar
. You need to copy this jar file to liferay-portal-6.2-ce-ga5/tomcat-7.0.62/lib/ext/
.Next you need to create (or modify if it already exists) the following file
liferay-portal-6.2-ce-ga5/tomcat-7.0.62/webapps/ROOT/WEB-INF/classes/portal-ext.properties
to activate the OpenID Connect Login handler:auto.login.hooks=\ it.infn.ct.security.liferay.openidconnect.OpenIdConnectAutoLogin,\ com.liferay.portal.security.auth.CASAutoLogin,\ com.liferay.portal.security.auth.FacebookAutoLogin,\ com.liferay.portal.security.auth.NtlmAutoLogin,\ com.liferay.portal.security.auth.OpenIdAutoLogin,\ com.liferay.portal.security.auth.OpenSSOAutoLogin,\ com.liferay.portal.security.auth.RememberMeAutoLogin,\ com.liferay.portal.security.auth.SiteMinderAutoLogin
Now you should restart your tomcat and after that you can invoke the following login URL: https://localhost:8443/c/portal/login?openIdLogin=true. This time you should get redirected to Fediz-IDP for user authentication (login). After successful login you should be able to see your portal again with an active user.
For debugging purposes is can also be helpful to increase the log level by adding the following line at
liferay-portal-6.2-ce-ga5/tomcat-7.0.62/conf/logging.properties
it.infn.ct.security.liferay.openidconnect.level = FINE
Test your Setup: Login with OpenID Connect
Now you can validate if your setup is working as expected. Open the following URL in your browser:https://localhost:8443/c/portal/login?openIdLogin=true
Make sure to logout first, if you are still logged in at your portal.
You should get redirected to the Fediz IDP Login page and after login (bob:bob) you should get redirected back to your Liferay portal.
When you login the very first time, you should see a screen to confirm the "Terms of Use". After that you will be asked to enter a new password. This password can be used to login without SSO / OpenID Connect so you should choose a complex password. As long as you use SSO however you will never be ask again to enter this password. Same applies to the password reminder.
Once that is done, you will see the start screen of the Liferay Portal.
Now you can logout and login again with the above URL. This time you will login directly without any additional steps/questions.
You have been successful!
Hi, I tried to use it for LR 6.2.1 and compiled the extension with the LR 6.2.1 dependencies. I could not restart LR getting something like:
ReplyDeleteorg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.liferay.portal.kernel.util.InfrastructureUtil' defined in class path resource [META-INF/infrastructure-spring.xml]: Initialization of bean failed; nested exception is org.springframework.beans.ConversionNotSupportedException: Failed to convert property value of type 'javax.mail.Session' to required type 'javax.mail.Session' for property 'mailSession'; nested exception is java.lang.IllegalStateException: Cannot convert value of type [javax.mail.Session] to required type [javax.mail.Session] for property 'mailSession': no matching editors or conversion strategy found
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:526)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBea
Hi Unknown,
Deleteyour type of error message is usually related to a class-loading issue. It is most likely that 'javax.mail.Session' is included in two different libraries (or versions of a single library).
Hi Jan Bernhardt,
ReplyDeleteI am using liferay 6.2 ce ga6 for openid connect integration.
I have create sample account in auth0.com for oidc provider.
From that i get required data that needs to pass in openidconnect project.
My question is using www.auth0.com will work with openid connect for authentication.
OR I have to use "Apache Fediz version".
Hope i will get answer soon from you
Thanks,
Krunal Patel
If you just want to authenticate against Liferay with OpenID Connect and you are using another OIDC Provider you don't need to use Apache Fediz for that. Just follow the instructions under "Install OpenIdConnect Extension for Liferay" to setup your portal for OIDC.
DeleteThanks for the post,i got lot more ideas.It is so amazing and knowledgeable.I hope its useful for others as well.Data Science is a blend of various tools, algorithms, and machine learning principles with the goal to discover hidden patterns from the raw data.If you are looking for Data Science course visit our site.
ReplyDeleteBest Data Science Certification Course in Bangalore
Thanks for your post.I gained sone new important information.I am very happy reading your post.Learn Python,a powerful language used by sites like YouTube and Dropbox.
ReplyDeletepython training in btm Layout
I wouldn’t mind producing a post or elaborating on some the subjects you write concerning here. Again, awesome weblog!
ReplyDeleteAWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery
This comment has been removed by a blog administrator.
ReplyDeleteActually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.
ReplyDeletedata scientist certification malaysia