I have a fresh Liferay 7.2 and Keycloak 7 install
I created a Keycloak Client for Liferay
I enable Openid Connect in Liferay
In Liferay I configure an OpenID Connect provider with the Keycloak OpenID Connect discovery endpoint
In Liferay
I click Login, Login is presented
I click OpenID Connect, OpenID Connect Login page is presented
I click Login with the Keycloak provider selected, the browser is redirected to the Keycloak log in page
I enter my user and password and Click log in
My browser is redirected back to Liferay
In the Liferay the console looks like this https://gist.github.com/smitopher/ca8bcb2ccb564eff3a42a1944e8daed7
and the browser shows a Liferay Internal Server Error message
Any suggestions?
Some further debugging shows that When Liferay calls the Keycloak token endpoint, Keycloak returns a 400 http status and an invalid grant message.
I ran into the same problem but later stumbled across a blog post showing a successful configuration which I've reproduced with Liferay 7.2 + Keycloak 4.8.
The key difference between the failures and successes appears to be skipping auto-discovery and instead to populate the individual settings directly. It would appear that Liferay doesn't like something in Keycloaks discovery endpoint.
I recommend updating the Keycloak version and checking the correct Liferay configuration by consulting the official Liferay documentation Authenticating with OpenID Connect. You can also consult the article How to connect Keycloak and Liferay via OpenID Connect
Remember that Keycloak and Liferay must be able to communicate with each other via the HTTP / HTTPS protocol.
Related
I am configuring JIRA and confluence with sso using jasig cas step by step details given here is not full setup of CAS and JIRA configuration. how can i configure cas with Jira and confluence?
also tried to setup using saml and keycloak but was not able to make it work
I'm newbie to liferay 7,I want to integrate liferay 7 with CAS without ldap.
my liferay's version is DXP, CAS server's version is 4.0.0.
I have installed liferay on localhost:8080,CAS server is on one of my server machine over ssl.
I have successfully integrated CAS. After this I have configured CAS authentication in liferay that is in Configuration->Instance Setting->Authentication under this CAS tab.
When I try to login im getting following url:
http://localhost:8080/?ticket=ST-23-d3Dvgf5h56Fa3ptUf5wEc-cas01.example.org
Although ticket is generating,but I'm not able to access admin panel.
Please help, Thanks
I have followed all the instructions in this manual
https://web.liferay.com/web/nidhi.singh/blog/-/blogs/liferay-intregation-with-cas-and-ldap
and everything works perfectly!
We are trying to achieve SP-Initiated SAML SSO with ADFS(our IDP) from WebSphere applications. We have used Liberty server which acts as the Service Provider/Relying Party. Using Liberty as a bridge we are able to do Sign-In for all applications deployed in classic WebSphere. But we are stuck at Logout process.
As of now WebSphere does not provide any SAML Logout feature. We tried using session.invalidate() method, also tried removing all cookies and request.logout() method. Though request.logout() removes the Authentication object, still we are able to access the application in the same browser session without any need to enter credentials.
We tried using ADFS WS-Federation Sign-Out URL mentioned here:
https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0
But as because Liberty is not able to handle Logout request and response, sign-out does not happen for WebSphere applications.
Are we following the correct approach? Is there any other work around for achieving Sign-Out?Is there a way to programmatically send SAML Logout request to ADFS from WebSphere?
Finally we are able to achieve logout after the addition of logout functionality in Websphere Liberty by IBM as mentioned here. Liberty is working as SP/bridge for SAML login and logout and applications are deployed in Websphere Application Server.
I am having a Web Application running on tomcat and hosted on amazon, I want to add it as an SAML Service Provider which allows single sign on(SSO) in onelogin(https://www.onelogin.com/)
I have a free trial account in one login, and In Add App section I can see many applications like salesforce,aws and all but how can I add my own application there ?
I clicked on Suggest an App and and gave my application URL. Is there anyway I can add my own application as an SP in onelogin ?
You can use the SAML Test Connector. It works with any generic SAML Service Provider.
If you also need to add SAML support to your tomcat application, you should know that Tomcat does not have a SAML SP provider implementation itself, so you will need to add SAML support to the java application. For that you can use:
OIOSAML
spring security
java-saml
shibboleth (It requires also Apache).
We have a requirement where user needs to login to portal with CAS (but SAML way). User can also login via login portlet of liferay.
We have few apps hosted on Intranet and few on Extranet. When user is in our office network, he should be able to login to all the apps via SSO. This includes apps which are hosted on extranet as well.
To achive this we want to use SAML with CAS.
By doing some research I understand that in this case CAS would be my IDP i.e. Identity provider and my apps on extranet would be SP i.e. service provider
Any idea how to proceed with it?
Any help is appreciated.
I have to do the same thing but using a LDAP too ...
I'm following this cookbook to achieve that, the second chapter talks about Authentication and Registration Process
I hope this would be helpful!!