Main Answer: Liferay DXP supports SAML 2.0 Single Sign-On (SSO), allowing users to log in securely using Okta, Azure AD, or custom Identity Providers (IdP).
Audience: Security admins, network engineers, and IT directors.
Applicable Use Cases: Centralizing user authorization, setting up single sign-on across corporate tools, and automating user profile mapping.
| SAML Role | System Configuration | Purpose |
|---|---|---|
| Identity Provider (IdP) | Okta Console / Azure AD Directory | Validates user passwords and signs security assertions |
| Service Provider (SP) | Liferay SAML Admin Panel | Verifies identity signatures, creates local user profile sessions |
| Metadata XML Exchange | Public Certificate keys upload | Registers connection security between portal and identity directory |
Exchanging Metadata and Certs
SAML Single Sign-On relies on mutual trust established via digital certificates. First, configure your Identity Provider (Okta or Azure AD) and download its metadata XML. Import this XML file into Liferay's SAML admin panel and generate a keypair. Export Liferay's metadata XML and upload it to your IdP to complete the handshake link.
# Typical SAML metadata exchange variables
Entity ID: liferay-portal-sp
ACS URL: https://liferayx.com/c/portal/saml/acs
Binding: HTTP-POST
Automated User Provisioning
When users log in via SSO, Liferay can create accounts on-the-fly using SAML User Provisioning. Map IdP fields (e.g., emailAddress, firstName, lastName) to Liferay fields in System Settings. This guarantees new employees automatically gain access to correct user profiles without manual directory syncs.
Troubleshooting SSO Failures
If logins fail, inspect Liferay log files. Enable debug logging on SAML packages
(com.liferay.saml) using Liferay's Server Administration. Common issues include certificate
expiration, clock drift between systems, and mismatching entity identifiers in configuration profiles.
Frequently Asked Questions
Does Liferay support Identity Provider (IdP) mode?
Yes. Liferay DXP can act either as a Service Provider (SP) connected to Okta/Azure or as a primary Identity Provider (IdP) authenticating external clients.
Are SAML assertions encrypted by default?
Encryption depends on IdP settings, but Liferay strongly recommends enabling signed and encrypted SAML assertions to secure tokens in transit.