liferay to secureauth integration guide idp configuration 2 liferay to secureauth integration guide...

Liferay to SecureAuth Integration Guide

Copyright Information

2017. SecureAuth© is a copyright of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions, are copyrighted products of SecureAuth Corporation.

May, 2017

For information on supporting this product, contact your SecureAuth sales representative:

Email: [email protected]

Phone: +1.949.777.6959 or +1-866- 859-1526

Website: https://www.secureauth.com/Support.aspx

mailto:[email protected]

https://www.secureauth.com/Contact-Us.aspx

Contents

Introduction 1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

SecureAuth IdP Configuration 2Post Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

User ID Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

SAML Assertion / WS Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Liferay SP Configuration 5Tomcat Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Testing SAML Admin Web Application 7Appendix A: How to Get the Certificate from a SecureAuth Realm 10Appendix B: Importing PKS Certificate in Java Keystore 16Appendix C: How to Configure the SAML Admin Tab 21

IntroductionThis guide covers the steps required for integrating SecureAuth IdP with Liferay.

PrerequisitesThe steps that must be completed before configuring SecureAuth IdP and Liferay are:

1. Enroll for and open a Liferay Enterprise Account

2. Create a New Realm for the Liferay integration

3. Configure the following tabs in the SecureAuth IdP Web Admin before configuring the Post-Authentication tab:

• Overview – define the realm and SMTP connections

• Data – integrate an enterprise directory with SecureAuth IdP

• Workflow – define the way in which users will access this application

• Registration Methods / Multi-Factor Methods – define Multi-Factor Authentication (MFA) methods that are used to access this page (if any)

Introduction 1

https://docs.secureauth.com/display/90docs/Overview+Tab+Configuration

https://docs.secureauth.com/display/90docs/Data+Tab+Configuration

https://docs.secureauth.com/pages/viewpage.action?pageId=40045142

https://docs.secureauth.com/pages/viewpage.action?pageId=40044976


SecureAuth IdP ConfigurationTo configure SecureAuth IdP for use with Liferay, follow the steps provided in the following subtopics.

Post AuthenticationFrom the Post Authentication tab page, perform the following steps:

1. From the Authenticated User Redirect drop-down list in the Post Authentication tab in the Web Admin, select SAML 2.0 (SP Initiated by Post) Assertion.

2. From the Redirect To field, enter an unalterable URL that will be auto-populated and will append to the domain name and realm number in the address bar.

User ID MappingFrom the User ID Mapping section in the Post Authentication tab page, perform the following steps:

1. From the User ID Mapping drop-down field, select the property that corresponds to the mapping on the Liferay side; in general, map a certain property from the Liferay side to SecureAuth side.

2. From the Name ID Format drop-down field, select the default value, urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

NOTE: If you select SP Init by Post in the first field, you cannot select an SP init URL for the redirect. Liferay's integration with SA works only through SP by Post.

SecureAuth IdP Configuration 2


3. From the Encode to Base64 drop-down option list, select False.

SAML Assertion / WS FederationConfigure the required fields for SAML assertion in the SAML Assertion/WS Federation section as shown below.

1. In the WSFed/SAML Issuer and the SAML Audience fields, enter a unique name that will be shared with Liferay.

2. In the WSFed/SAML Issuer field, enter a name that must match exactly on both the Secure-Auth IdP side and the Liferay side.

3. In the SP Start URL field, enter a URL that will enable SSO and redirect users appropriately to access Liferay.

The SP Start URL value is normally http://localhost:8080 since Liferay is a Java application.

4. Make sure that the SAML Assertion and SAML Message are both True (signed).

NOTE: Both the WS Fed/SAML Issuer and the SAML Audience field values must possess names that exactly match on the Liferay side.


http://localhost:8080


5. Leave the Signing Cert Serial Number field to the default value unless there is a third-party certificate being used for the SAML assertion.

If using a third-party certificate, click Select Certificate and choose the appropriate certifi-cate.

6. At the Domain field, enter the domain in order to download the metadata file to send to Lif-eray.



Liferay SP Configuration This document assumes Apache Tomcat server has been installed with the default settings and runs at http://localhost:8080/. This document also assumes that the user has purchased the Liferay Enterprise package.

Tomcat DeploymentTo deploy Tomcat, use these steps:

1. Once you have downloaded the Liferay package, make sure you deploy the Tomcat server using the command line.

2. Before configuring the homepage and creating an admin account, deploy the activation key and the saml-portlet war file. Drag and drop both the activation file and the war file into the deploy folder as shown below.

3. Create an Administrative Account on the Liferay Homepage.

Drag and drop both the activation key and .war files to the deploy folder

Liferay SP Configuration 5

http://localhost:8080/

4. Create a user with the same credentials as the one you used in the SecureAuth IdP. To do this, click Control Panel > Users > User and Organizations.

Alternatively, set up an LDAP connection between Liferay and SecureAuth so that an authenticated user can successfully login.

5. Import SecureAuth’s Certificate into Liferay by using the Keystore.

Refer To “Appendix A: How to Get the Certificate from a SecureAuth Realm” starting on page 10 then “Appendix B: Importing PKS Certificate in Java Keystore” starting on page 16.

6. Setup an SSL Connection with the Tomcat Server in this way:

a. Open server.xml file in Tomcat’s config directory.

b. Add the following command line under the Define SSL/TLS HTTP /1.1 Connector on port 8443 section of the XML file:



<Connector

protocol="org.apache.coyote.http11.Http11NioProtocol"

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="${user.home}/.keystore" keystorePass="changeit"

clientAuth="false" sslProtocol="TLS"/>

7. In Control Panel, select the Configuration tab and configure the SAML Admin tab.

To configure the General, Service Provider and Identity Provider Connection tabs, refer to “Appendix C: How to Configure the SAML Admin Tab” starting on page 21.

NOTE: Export the Private Key and the Certificate (Not Certificate Only).

NOTE: The keystoreFile is the path where you store the actual keystore and the keystorePass is the password you chose during the previous step. For more on this, refer to https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html.

Liferay SP Configuration 6

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html


Testing SAML Admin Web ApplicationTo test the SAML Admin web application you have just set up, do this:

1. Restart Tomcat server.

2. Open a browser, preferably Firefox, with SAML tracer plug-in.

The SAML tracer plug-in can be downloaded from https://addons.mozilla.org/en-US/fire-fox/addon/saml-tracer/.

3. Clear the browser cache and history.

4. Open the Liferay site at: https://localhost:8443/.

A screen like this example appears.

Testing SAML Admin Web Application 7

https://localhost:8443/

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/


5. Click Sign in.

The user will be redirected to the configured IdP for authentication.

6. Provide the required credentials.

After a successful authentication, you will be redirected back to the requested application (that is, Liferay).

7. After signing out of the Liferay account, the user will reach the IdP (SecureAuth).



This is the same page as the authentication page.

NOTE: The user can run a SAML Tracer to see the SAML Login and Logout Request.



Appendix A: How to Get the Certificate from a SecureAuth Realm The way to procure a certificate from a SecureAuth Realm is explained in the following steps.

1. Select the SecureAuth IdP realm that has been set up for Liferay and locate the Signing Cert Serial Number field under the Post Authentication tab as shown in the following example.

Find the certificate number in the Certificates Console matching this number

Appendix A: How to Get the Certificate from a SecureAuth Realm 10


2. Use the Certificates Console to find the certificate with the same serial number used in the Liferay realm.

Find the certificate number in the Certificates Console matching the number in the Liferay realm field



3. Right-click on this selection and select Export.

The Certificate Export Wizard appears.

4. Click to select the Base-64 encoded x.509 (.CER) format radio button to export the certifi-cate then click Next.



5. Click the Yes... radio button to export the Private Key then click Next.

The next wizard page appears.

6. Click to select the Personal Information Exchange... radio button, then check the Include all certificates... box and click Next.




7. Check the Password box then enter the password you require and confirm the password. Click Next.


8. Enter a file name for this certificate export, or click the Browse... button to find the name of the file to which you want to copy this certificate export. Click Next.



The final wizard page appears.

9. Click Finish.

The certificate is exported to the required location.



Appendix B:Importing PKS Certificate in Java KeystoreThis appendix provides the procedure to import the PKS certificate into the Java keystore.

The following steps assume that Java (Oracle version) is installed on the server. To check the availability of Java, enter the java -version command on a command line like this:

$ java -version

java version "1.8.0_101"

Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)

Java(TM) SE Runtime Environment (build 1.8.0_101-b13)

The version appears in the second line together with additional information about the version in subsequent lines.

Once the version number is known, proceed with this import.

1. Download and install KeyStore Explorer from http://www.keystore-explorer.org/down-loads.html. Alternatively, use the command line to import the key, then skip to Step 13 on page 19.

2. Open KeyStore Explorer.

The KeyStore main page appears.

Appendix B: Importing PKS Certificate in Java Keystore 16

http://www.keystore-explorer.org/downloads.html

http://www.keystore-explorer.org/downloads.html


3. Click Create a new KeyStore and select JKS from the New KeyStore Type dialog box.

4. Click OK and this JKS screen appears.

5. Click on the yellow Import key pair button located on the right side of the red button.



The Import Key Pair dialog box appears.

6. Select the PKCS #12 radio button and click OK.

An Import Key Pair dialog box like this appears.

7. Enter the Decryption Password and the pfx file path, then click Import.

The New Key Pair Entry Alias appears with a name already supplied.

8. Either accept the name or enter a new alias for the new key pair, then click OK.

You can change to any name but make sure to record the alias since you will need it on the SAML admin configuration.

The New Key Pair Entry Password dialog box appears.

9. Enter a password for the jks then click OK.

You will use this password when configuring the SAML admin.

A Pair Successful message appears.



10.Click OK.

11. Save the jks file by going to File > Save.

12. If asked for a password, use the same password used earlier for the key pair.

The Save KeyStore As screen appears like this:

13. In the ‘File name’ text box, enter the jks file name (xxx.jks) then click Save.

Alternatively, use the following two commands to convert the pfx to jks format:

a. Open command shell and run the following command:keytool -importkeystore -srckeystore pfx-cert-name.pfx -srcstoretype pkcs12 -dest-keystore jks-cert-name.jks -deststoretype JKS

keytool -list -v -keystore jks-cert-name.jks

b. Enter the keystore password when requested

c. Record the Alias name from the output.Alias name: xxxxx

d. And make sure the following values are as follows:Keystore type: JKS



Keystore provider: SUN

Entry type: PrivateKeyEntry



Appendix C:How to Configure the SAML Admin TabTo configure the SAML Admin tab, perform the following steps.

1. Go to the General tab and select the appropriate SAML Role and Entity ID.

The SAML Role is either IdP or SP.

The Entity ID has the same value as the SAML Audience on the SecureAuth IdP Post Authentication page.

2. Edit the values for the Certificate and Private Key section then click Save.

This section creates a keystore located in the data folder of the tomcat server and it is used for signing the metadata between Liferay and Secureauth IdP.

NOTE: Do not confuse this keystore with the one which we created earlier. That prior keystore is meant for SSL configuration.

Appendix C: How to Configure the SAML Admin Tab 21


3. Go to the Service Provider tab and select the appropriate options.

NOTE: If a user selects any of these options, make sure the appropriate settings are specified or errors will arise once configuration is complete.



4. Select the Identity Provider Connection tab and ensure that the Entity ID field value matches the SAML Issuer value on the Post Authentication tab.

5. Additionally, download the metadata file from the Post Authentication tab and upload it using the Upload Metadata XML button.

NOTE: The user can also choose to map any additional attributes, but must configure the same attributes on the SecureAuth IdP side (the SAML Attributes/ WS Federation section).



6. Once all required values are entered, click the Save button.

7. Return to the General tab and check the Enabled box to ensure that your configurations are not lost and will take effect.


liferay to secureauth integration guide idp configuration 2 liferay to secureauth integration guide...

Documents