Top 5 Challenges Implementing SAML Single Sign-On for Liferay Portal
Single Sign-On (SSO) using SAML can easily become a serious undertaking for any project or application. There are numerous unexpected challenges that arise along the way. This becomes even more challenging when dealing with a complex platform such as Liferay Portal and Liferay DXP.
Over the years, here at AssureBridge, we have helped numerous companies worldwide to successfully roll out SAML-based Liferay SSO solutions. While working on these projects we have identified key challenges and pitfalls:
- Liferay support for multiple, simultaneous SAML Identity Providers (IDPs)
- Liferay support for simultaneous SSO and direct login (userid/password)
- Having Liferay service as both an Service Provider(SP) and an Identity provider (IDP)
- Auto-provisioning and auto-updating of users into Liferay
- Dealing with the differences in how user information (e.g. ids, phone nos. emails) is represented the source system, vs in the Liferay database.
- Liferay SAML Single Logout Support (SLO)
Support for multiple SAML Identity Providers (IDPs) and direct login
It is often the case that, when running as a SAML Service Provider, your Liferay portal is required to connect with multiple SAML partner Identity Providers. There are a number of business scenarios where this functionality is required.
One of our clients, a wellness services provider uses Liferay to deliver SaaS-based services for a number of users that belong to different companies. Some of these companies have their own SAML identity providers such as Microsoft ADFS, Ping Identity and IBM Tivoli. These customers insist on performing single sign-on (SSO) into the Liferay portal.
Another client, a global retail company that has grown through mergers and acquisitions has users accessing their Liferay DXP based worldwide corporate Intranet. These users work for different company divisions and each division has its own SAML IDP. Additionally, they are some divisions that don’t have a SAML solution and need to login to Liferay directly with a user id and password.
In both cases, the clients found that the SAML plugin provided with the Liferay Enterprise Edition (EE) wasn’t able to support the required combined multiple SAML IDPs and credentials-based login capability. After unsuccessfully trying to develop these capabilities internally, both clients chose to use the AssureBridge SSO plugin for Liferay. The AssureBridge engineering team helped the clients deploy the plugin configure SAML SSO connectivity to multiple partner IDPs.
Additionally, the retail client rolling out the Liferay-based Intranet, required advanced user organization detection and automatic IDP routing. Incoming users needed to be identified based on the company they work for and automatically routed to the appropriate IDP. The AssureBridge SSO plugin performed sophisticated detection of the user location. It assisted in pre-setting of the target IDP choice as well as triggering automatic SAML Authentication Request based on the information saved from previous logins. The client also wanted different behavior based on the users location (company network, off-site, or on a VPN). The plugin allowed the site to present different content to users based on their location.
Combination of SAML Service Provider (SP) and SAML Identity Provider (IDP)
Another technical challenge arises when a Liferay portal needs to perform a dual SP/IDP function. When a Liferay Portal front-ends other services such as Concur, Workday, Business Objects, Remedy and many others, it requires seamless integration. This requires the Liferay portal to serve as an IDP connection to each of these applications. When clients also require SSO into the portal, Liferay now has to act both as a service provide and identity provider (IDP) simultaneously. Our wellness services provider found itself in this situation where the Liferay portal needed to connect using SAML to a number of downstream sites.
Once again, they tried the SSO that came with Liferay enterprise. They found it allows Liferay to be either an IDP or an SP, but not both at the same time.
They then used the AssureBridge Liferay SSO Plugin to natively provide this capability. Deployed in a sophisticated dual-provider model, the plugin quickly turns their Liferay portal into a powerful tandem of a SAML Service Provider and a SAML Identity Provider. This them to have multiple customers using multiple Identity Providers and, at the same time, to access downstream integrated websites via SAML using Liferay as the central Identity Provider itself.
Auto-provisioning and auto-updating of portal user
The wellness provider had another issue. Their clients had thousands of users that changed constantly. Loading all the users into the Liferay portal became impossible to manage. They needed the users to be automatically created in Liferay when the user logged in for the first time. They also needed key information such as first name, last name, email, phone number and office location to stay current.
Using the AssureBridge Liferay plugin, they configured auto-provisioning and auto-updating. The first time the user logged in (just-in-time provisioning). Their account was automatically created in Liferay. Each subsequent time they logged in. Any information that had changed was refreshed in the Liferay portal.
Dealing with difference in how information is represented
Another issue the wellness provider ran into was that the format of the user data being sent from their customers was different. The user information was stored in different fields and some information like phone number was stored in different formats. They needed this data to be “normalized” into a standard format for Liferay. They tried to get their customers to send the data in a standard format but encountered too many objections. They took advantage of the AssureBridge SAML SSO Plugin feature called attribute processing. Each of their customers was processed with a small Attribute Mapper which took the incoming information from the SAML Assertion, mapped the correct fields and adjusted the data (e.g. phone number format) to the standard form before saving into Liferay. This way, the Liferay user data stayed both fresh and consistent. This data was used to validate user access, update user profiles, assign users to roles and groups and place users in the proper Liferay organization. In some cases they used the feature to deny access to users unless they presented a minimum set of info during login.
Advanced SAML Single Logout (SLO) Support
Establishing a Liferay SAML-based Single Sign-On is definitely a challenging task. However, once that is done, our clients discovered that SAML-based Single Logout (SLO) is as challenging as the Single Sign-On, if not more. Single Logout is an important part of the SAML standard and organizations rely on SLO to ensure that distributed user login sessions are properly terminated when users log out from either the Identity Provider or a specific application in the SSO ecosystem. For example, if your Liferay portal is a Service Provider and the users logs out of the partner’s IDP, it is often required that the Liferay session is terminated automatically at the same time. This is called an IDP-initiated SLO. If your Liferay portal is also a service provider, front-ending one or more downstream services, it gets more complex. If a user logs out at the customer, the portal must not just log itself out in response to a SAML logout request. It must propagate that logout request through to the downstream applications to make sure the entire portal ecosystem is logged out. In some cases, clients want the reverse, if a user logs out in a downstream system, the logout must propagate back to the Liferay portal and then back to the customer’s IDP.
The AssureBridge Liferay SSO Plugin and SAML SSO Service supports both of these scenarios