Uploaded image for project: 'PUBLIC - Liferay Documentation'
  1. PUBLIC - Liferay Documentation
  2. LRDOCS-3683

Document SAML configuration approach changes in 7.0 as of SAML 2.0 Provider 3.1.0



      In 6.2 UI, the IdP configuration UI has a section "Service Provider Defaults" which are the values read from portal-ext.properties. This section has been removed in the new 7.0 UI. In fact there is no longer any support for connection defaults.

      This default configuration properties in 6.2 were used for two purposes:

      1. When saml.metadata.paths was specified in portal-ext.properties (there was no UI for it), the defaults provided the runtime configuration for each peer entity represented by the paths (URLs). This completed the peer configuration, enabling them to be used immediately. Each peer connection can be tweaked using filtered properties like saml.idp.metadata.name.id.attribute[peerEntityId] if needed. 
      2. When using UI to add a peer connection, the fields are pre-populated with the defaults. Saving time.


      Starting with the 7.0 version, anything to do with configuring SP connections must be done via the the UI, and stored into the DB.

      Consequently, there is no need to specify configuration for any entity other than the local entity which is synonymous with company (portal instance).

      This has enabled us to migrate to a company scoped configuration in Configuration Admin.

      The properties affected are those in the SamlProviderConfiguration metatype:

      • saml.keystore.credential.password
      • saml.sp.assertion.signature.required
      • saml.idp.authn.request.signature.required
      • saml.sp.clock.skew
      • saml.default.assertion.lifetime
      • saml.sp.default.idp.entity.id
      • saml.enabled
      • saml.entity.id
      • saml.sp.ldap.import.enabled
      • saml.role
      • saml.idp.session.maximum.age
      • saml.idp.session.timeout
      • saml.sp.sign.authn.request
      • saml.sign.metadata
      • saml.ssl.required
      • saml.idp.metadata.name.id.attribute

      The SAML Admin Portlet remains as the UI for creating the company scoped configuration instances.

      Please note that there is a system wide configuration as well, represented by the SamlConfiguration metatype.

      Finally, please note that the following system wide properties have been removed:

      • saml.metadata.paths (serves no purpose after removal of SP connection defaults)
      • saml.runtime.metadata.max.refresh.delay
      • saml.runtime.metadata.min.refresh.delay

      The latter two are replaced with saml.runtime.metadata.refresh.interval


          Issue Links



              richard.sezov Rich Sezov
              id30721 id30721
              Subject Matter Expert:
              Stian Sigvartsen
              Participants of an Issue:
              0 Vote for this issue
              4 Start watching this issue



                  Zendesk Support


                    Version Package