OpenSSO Integration with Liferay

OpenSSO and Liferay integration

This page describes the fixes done to OpenSSO integration and also gives an overview of design.


  1. Utilize opensso fix for 1079 - use isTokenValid operation to validate session
    • if user logged out of OpenSSO directly or thru any other app, then user needs to be completely logged out. If validation is not done, then the user remains logged in to portal
  2. Do not send cookie as query param - its a security hole. POST it.
  3. Use getCookieNameForToken operation to get name of the cookie instead of configuring it
  4. Utilize getCookieNamesToForward operation and forward all these cookies via POST for reliable operation
  5. The following attributes should be configurable
    • firstName=cn
    • lastName=sn
    • screenName=givenName
    • emailAddress=mail
  6. Fix the method that parses attribute name-value pairs. Was working but this is little better.
  7. Fix Single Logout

Design Overview

The authentication filter is It redirects an unauthenticated user to OpenSSO for login. After user logs in using the credentials at OpenSSO, s/he is redirected back to Liferay using the "goto" query parameter. This second time, the filter validates the user by making a REST call to OpenSSO.
In addition to the filter, the auto.login.hooks has OpenSSOAutoLogin configured which implements the AutoLogin interface. The AutoLogin filter calls login method on this class when any unauthenticated (to portal) user is detected. This hook checks if the user is already authenticated at OpenSSO. Then it gets the screen name from OpenSSO. Then it checks if the user already exists in Liferay. It creates a new user if the user is not found in Liferay. It imports four essential attributes from OpenSSO user store, namely, First Name, Last Name, Screen Name, Email. These 4 attributes must be set in OpenSSO.
Both these classes, use for calling REST operations on OpenSSO. The following REST calls are made to OpenSSO:
  1. http://host:port/opensso/identity/getCookieNameForToken
  2. http://host:port/opensso/identity/getCookieNamesToForward
  3. http://host:port/opensso/identity/attributes
  4. http://host:port/opensso/identity/istokenvalid

Single Sign-On and Single Sign-out (SSO)

There are 4 possible scenarios:
  1. User logs in via Liferay
  2. User logs in via some other application using OpenSSO or at OpenSSO itself
  3. User logs out at Liferay
  4. User logs out at some other application using OpenSSO or at OpenSSO itself
The first two use cases are definitely needed and the user does not have to re-login, once authenticated by OpenSSO.
If it is desired to keep user singed into Liferay even after having performed logout elsewhere, then the following mapping in web.xml needs to be removed.

Open SSO Filter

If this is removed, then the user will need to explicitly logout from Liferay and that will perform a single logout from OpenSSO.
There is also another side-effect of this filter mapping during configuration. When the admin enables OpenSSO, and clicks save, a redirect happens immediately since the OpenSSO filter kicks in. This is the reason why it is advisable to first create the admin user (like Joe Bloggs) in OpenSSO (and login) before enabling OpenSSO in Liferay.

Configuration parameters and sample values

  1. Login URL=http://openssohost:port/opensso/UI/Login?goto=http://portalhost:port/c/portal/login
  2. Logout URL=http://openssohost:port/opensso/UI/Logout?goto=http://portalhost:port/portal/
  3. Service URL=http://openssohost:port/opensso
  4. Cookie Name=iPlanetDirectoryPro - Will Not be required anymore
  5. First Name=cn
  6. Last Name=sn
  7. ScreenName=uid
  8. Email=mail

Configuration Steps

  1. or any stable build after Wed May 14 07:09:55 PDT 2008
  2. Make sure you read the release notes for OpenSSO. Currently (as of 5/16/08), it is not supported on Tomcat versions 5.5.26 and 6.0.16
  3. Since OpenSSO does yet work with some versions of Tomcat, deploy Liferay on the containers as supported by OpenSSO. Otherwise, it encounters cookie encoding problems.
    • Hint: This was tested on Glassfish V3 TP2
  4. Install OpenSSO on the same host/server as portal or any other host
    • For example, on Glassfish, drop the war in autodeploy dir
    • Access http://host:port/opensso
    • Select default configuration and go through the steps and you are done
  5. Login to opensso as amadmin
  6. Create the user Joe Bloggs by giving "ID=joebloggs" and "" (Hint: First create the user, then edit to set email).
  7. Logout and login to OpenSSO as joebloggs
  8. Now in the same browser window, login to Liferay as (Joe Bloggs)
  9. Goto EnterpriseAdmin > Organizations > Settings > Authentication > OpenSSO tab
  10. Set the values as described earlier and click Save
  11. Here onwards, you will be redirected to OpenSSO for login


1. Why do I need to be logged in to OpenSSO as joebloggs before enabling OpenSSO?
As soon as you enable and click Save, OpenSSO filter kicks in and redirects to OpenSSO. If you are already logged in as joebloggs, then auth validation succeeds and the redirect back to Liferay works smoothly. If you are not already logged in, then you will be presented a login screen. If you login as joebloggs now, then after redirect back, you will see error in Enterprise admin portlet. The logs show an error message as "This URL can only be invoked using POST". Although this error message can be ignored, we will fix it soon.

2. After enabling OpenSSO, I see a success message but no redirect to OpenSSO login screen. Also a logout and re-login never redirects to OpenSSO or logout shows page not available or similar.
Most likely, the urls in the configuration are incorrect. Check the logs. Verify the urls for login, logout and service.

3. I was logged in to OpenSSO as joebloggs when enabling open sso, also saw a success message on save. But now, after logout, can not login?
Does it say "Server not found" or similar? If yes, then you most likely entered incorrect login url. How to fix it since you can not login? Goto directly to open sso login url and login as joebloggs. Then goto to Liferay and you will be single signed-on. Fix the login url now.

More Here