17 December 2015

Liferay Portal Integration with Fediz OpenID Connect

I was given the task to provide a security solution to enable SSO in a Liferay portal based on OpenID Connect with the Apache Fediz OIDC Service. In this post I'll explain how to get this done.

You will need Apache Fediz version 1.3.0 or higher, if you want to setup this use case by yourself

Install Liferay Portal with Fediz Plugin

First download and extract Liferay bundled with Tomcat. (I used liferay-portal-6.2-ce-ga5)

Enable HTTPs port in liferay-portal-6.2-ce-ga5/tomcat-7.0.62/conf/server.xml
<Server port="8005" shutdown="SHUTDOWN">

     . . .

    <Service name="Catalina">

         . . . 

        <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
             maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
             keystoreFile="idp-ssl-key.jks"
             keystorePass="tompass"
             clientAuth="false"
             sslProtocol="TLS" />

    </Service>
</Server>
I reused the idp-ssl-key.jks file from the IDP Tomcat to keep things simple. Of course you can also use a different keystore. Your keystore should be stored in your tomcat root folder liferay-portal-6.2-ce-ga5/tomcat-7.0.62/.

Now you can start Liferay for a first setup. Simply execute liferay-portal-6.2-ce-ga5/tomcat-7.0.62/bin/startup.sh

After Tomcat startup is complete you can invoke the server page at https://localhost:8443/.

I continued with the default values (except for the Email address) and simply clicked "Finish Configuration". After that you have to wait until Liferay installation is complete. Next you will see the license confirmation page, which you need to confirm. After that you can set your password reminder as well as the administration password.

The OpenID Connect Extension which we will install in the following section requires a user group UnityUser which will be applied for all new users when then login the very first time to the portal. Therefore we must create this user group first under control panel -> Users -> User Groups -> Add


Your Liferay Portal is now up and running so lets continue next on enabling OpenID Connect for your portal.

Register Liferay Portal at OIDC Provider

After starting your OIDC Service, you can register the Liferay Portal under the following URL: https://localhost:9443/fediz-oidc/clients/register.

You will need the client Identifier as well as the Client Secret in the following section.

Install OpenIdConnect Extension for Liferay

You will need the OpenIdConnectLiferay extension, which you can clone from Github. Further information on installing this extension can be found at the authors webpage.

You'll need to update the configuration within it.infn.ct.security.liferay.openidconnect.utils.Authenticator

public Authenticator(State state) {
    authC = new ClientSecretBasic(new ClientID("hLiSIY6b1X_0Jg"), new Secret("llPySiI1aEwyIgsnyBu6aA"));
    this.state = state;
    try {
        callback = new URI("https://localhost:8443/c/portal/login");
        oauthS = new URI("https://localhost:9443/fediz-oidc/idp/authorize");
        tokenS = new URI("https://localhost:9443/fediz-oidc/oauth2/token");
        userS = new URI("https://localhost:9443/fediz-oidc/users/userinfo");
        tokenCertSign = new URI("https://localhost:9443/fediz-oidc/jwk/keys");
        issuer = "accounts.fediz.com";
        aud = "hLiSIY6b1X_0Jg"; 
    } catch (URISyntaxException ex) {
        _log.error(ex);
    }
}

Now you can build and deploy this extension.
$ mvn clean install
You will find a jar file with all extensions at OpenIdConnectLiferay/target/OpenIdConnectLiferay-0.1-jar-with-dependencies.jar. You need to copy this jar file to liferay-portal-6.2-ce-ga5/tomcat-7.0.62/lib/ext/.

Next you need to create (or modify if it already exists) the following file liferay-portal-6.2-ce-ga5/tomcat-7.0.62/webapps/ROOT/WEB-INF/classes/portal-ext.properties to activate the OpenID Connect Login handler:
auto.login.hooks=\
  it.infn.ct.security.liferay.openidconnect.OpenIdConnectAutoLogin,\
  com.liferay.portal.security.auth.CASAutoLogin,\
  com.liferay.portal.security.auth.FacebookAutoLogin,\
  com.liferay.portal.security.auth.NtlmAutoLogin,\
  com.liferay.portal.security.auth.OpenIdAutoLogin,\
  com.liferay.portal.security.auth.OpenSSOAutoLogin,\
  com.liferay.portal.security.auth.RememberMeAutoLogin,\
  com.liferay.portal.security.auth.SiteMinderAutoLogin

Now you should restart your tomcat and after that you can invoke the following login URL: https://localhost:8443/c/portal/login?openIdLogin=true. This time you should get redirected to Fediz-IDP for user authentication (login). After successful login you should be able to see your portal again with an active user.

For debugging purposes is can also be helpful to increase the log level by adding the following line at liferay-portal-6.2-ce-ga5/tomcat-7.0.62/conf/logging.properties
it.infn.ct.security.liferay.openidconnect.level = FINE

Test your Setup: Login with OpenID Connect

Now you can validate if your setup is working as expected. Open the following URL in your browser:
https://localhost:8443/c/portal/login?openIdLogin=true

Make sure to logout first, if you are still logged in at your portal.

You should get redirected to the Fediz IDP Login page and after login (bob:bob) you should get redirected back to your Liferay portal.
When you login the very first time, you should see a screen to confirm the "Terms of Use". After that you will be asked to enter a new password. This password can be used to login without SSO / OpenID Connect so you should choose a complex password. As long as you use SSO however you will never be ask again to enter this password. Same applies to the password reminder.
Once that is done, you will see the start screen of the Liferay Portal.
Now you can logout and login again with the above URL. This time you will login directly without any additional steps/questions.

You have been successful!

9 comments:

  1. Hi, I tried to use it for LR 6.2.1 and compiled the extension with the LR 6.2.1 dependencies. I could not restart LR getting something like:
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.liferay.portal.kernel.util.InfrastructureUtil' defined in class path resource [META-INF/infrastructure-spring.xml]: Initialization of bean failed; nested exception is org.springframework.beans.ConversionNotSupportedException: Failed to convert property value of type 'javax.mail.Session' to required type 'javax.mail.Session' for property 'mailSession'; nested exception is java.lang.IllegalStateException: Cannot convert value of type [javax.mail.Session] to required type [javax.mail.Session] for property 'mailSession': no matching editors or conversion strategy found
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:526)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBea

    ReplyDelete
    Replies
    1. Hi Unknown,

      your type of error message is usually related to a class-loading issue. It is most likely that 'javax.mail.Session' is included in two different libraries (or versions of a single library).

      Delete
  2. Hi Jan Bernhardt,

    I am using liferay 6.2 ce ga6 for openid connect integration.
    I have create sample account in auth0.com for oidc provider.
    From that i get required data that needs to pass in openidconnect project.

    My question is using www.auth0.com will work with openid connect for authentication.

    OR I have to use "Apache Fediz version".

    Hope i will get answer soon from you

    Thanks,
    Krunal Patel

    ReplyDelete
    Replies
    1. If you just want to authenticate against Liferay with OpenID Connect and you are using another OIDC Provider you don't need to use Apache Fediz for that. Just follow the instructions under "Install OpenIdConnect Extension for Liferay" to setup your portal for OIDC.

      Delete
  3. Thanks for the post,i got lot more ideas.It is so amazing and knowledgeable.I hope its useful for others as well.Data Science is a blend of various tools, algorithms, and machine learning principles with the goal to discover hidden patterns from the raw data.If you are looking for Data Science course visit our site.
    Best Data Science Certification Course in Bangalore

    ReplyDelete
  4. Thanks for your post.I gained sone new important information.I am very happy reading your post.Learn Python,a powerful language used by sites like YouTube and Dropbox.
    python training in btm Layout

    ReplyDelete
  5. I wouldn’t mind producing a post or elaborating on some the subjects you write concerning here. Again, awesome weblog!
    AWS training in chennai | AWS training in annanagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.
    data scientist certification malaysia

    ReplyDelete