Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-86827 Multi-IdP support
  3. LPS-88090

Documentation: Multi-IdP support and SamlSpIdpConnectionsProfile


    • Type: Technical Documentation
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
    • Sprint:
      AS | Iteration 7, AS | Iteration 9, AS | Iteration 10, AS | Iteration 11, AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15, AS | Iteration 16, AS | Iteration 17, AS | Iteration 18, AS | Iteration 19
    • Type of Documentation:


      It is now possible to configure connections to multiple SAML Identity Providers, when Liferay is acting as a Service Provider. These can each authenticate the same or different set of users, giving great flexibility to how users are managed and access is controlled.

      By default, the SAML plugin will allow the user to select the Identity Provider he or she would like to sign in with, but this behavior can easily be changed by registering a custom com.liferay.saml.runtime.servlet.profile.SamlSpIdpConnectionsProfile (provided by com.liferay.saml.api module) service in OSGi.

      This requires the developer to only implement one method: isEnabled(SamlSpIdpConnection, HttpServletRequest). The service will be invoked for every configured Identity Provider connection at the time when the standard portal Login Action is requested (for example when a user clicks the "sign in" link), as represented by the HttpServletRequest, provided as parameter. The developer then simply returns true for the Identity Providers that the user should be able to select from.

      Whenever exactly one Identity Provider is enabled for the HttpServletRequest, the user will be automatically redirected to it without needing to make a selection.

      Whenever no Identity Provider is enabled for the HttpServletRequest, the behavior is dependent upon a new SAML Service Provider configuration setting: com.liferay.saml.runtime.configuration.SamlProviderConfiguration.allowShowingTheLoginPortlet() ("Allow showing the login portlet") . This can be set via the Service Provider administration UI. When set to true, the Service Provider will delegate to the normal Login Action. Which out of the box means presenting a email address & password sign in prompt. When set to false, a message stating no Identity Provider is available to sign the user in is presented.

      Below is a simple example implementation of SamlSpIdpConnectionProfile which only allows login via Identity Providers whose connection name contains the string "IDP".


      package com.liferay.saml.web.internal.portlet;
      import javax.servlet.http.HttpServletRequest;
      import org.osgi.service.component.annotations.Component;
      import com.liferay.saml.persistence.model.SamlSpIdpConnection;
      import com.liferay.saml.runtime.servlet.profile.SamlSpIdpConnectionsProfile;
      @Component(service = SamlSpIdpConnectionsProfile.class)
      public class CustomMultiIdpSelector implements SamlSpIdpConnectionsProfile {
        public boolean isEnabled(SamlSpIdpConnection samlSpIdpConnection, HttpServletRequest request) {
          return samlSpIdpConnection.getName().contains("IDP");




          Issue Links



              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created:


                  Version Package