ServiceNow connector deployment guide 1.0.0.0

KeyCloak SAML SSSO with WordPress

This blog discusses about the wordpress SAML SSO woth KeyCloak IAM

  1. Start wordpress install miniOrange SSO using SAML 2.0 plugin.
  2. Start keycloak server in administartor mode.
  3. In your Keycloak admin console, select the realm that you want to use.
  4. From left menu, select Clients.

 

  1. Create a new client/application. Configure the following:

 

Client ID                                –           The SP-EntityID / Issuer from the wordpress plugin under                                        Identity Provider tab

Name                                      –           Provide a name for this client (Eg. WordPress)

Description                            –           Provide a description (Eg. WordPress site)

Enabled                                  –           ON

Client Protocol                      –           SAML

Include AuthnStatement      –           ON

Sign Documents                    –           ON

Sign Assertions                      –           ON

Signature Algorithm             –           RSA_SHA256

Canonicalization Method     –           EXCLUSIVE

Force Name ID Format        –           ON

Name ID Format                   –           Email

Root URL                              –           The ACS (Assertion Consumer Service) URL from the                                                          wordpress plugin under Identity Provider tab.

Valid Redirect URIs              –           The ACS (Assertion Consumer Service) URL from the                                                          wordpress plugin under Identity Provider tab.

 

  1. Under Fine Grain SAML Endpoint Configuration, configure the following:

 

Assertion Consumer Service –         The ACS (Assertion Consumer Service) URL from the        POST Binding URL                            wordpress plugin under Identity Provider tab.

 

  1. Click on Save.

 

 

  1. Configuring WordPress as SP in WordPress

 

  1. Go to,

http://<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/ protocol/ saml/ descriptor.           This will open an XML in the browser.

 

  1. In miniOrange SAML plugin, go to Service Provider Tab. Enter the following values:

Identity Provider Name   –           Keycloak

IdP Entity ID or Issuer     –           Search for entityID. Enter it’s value in this textbox.

SAML Login URL            –           Search for SingleSignOnService Binding=                                                                                                      “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.                                          Enter the Location value in the textbox.

X.509 Certificate               –           Enter the X509Certificate tag value in this textbox

 

  1. In miniOrange SAML plugin, go to Attribute/RoleMapping tab. Enter the following values:

 

Username         –              Name of the username attribute from IdP (Keep NameID by default)

Email                –              Name of the email attribute from IdP (Keep NameID by default)

FirstName        –              Name of the firstname attribute from IdP

LastName        –               Name of the lastname attribute from IdP

 

  1. Under the Role Mapping section, configure which GROUP value coming in the SAML response needs to be mapped to which role in WordPress. The Group value coming in the SAML response will be mapped to the Role assigned here and the user will be assigned that role in WordPress.

Keep all values as it is. Click Save.

  1. Go to SSO Login Settings tab. Enable Check this option if you want to add a Widget to your page under Use a Widget.

 

11.1. Go to Appearances > Widgets.

11.2. Select “Login with Keycloak“. Drag and drop to your favourite location and save.

 

  1. Hit the URL : http://localhost/wordpress

 

 

  1. Click on login with Keycloak, you will be directed to Keycloak Authentication page.

 

 

  1. Login with registered email and password.

 

You will see it redirects to word press and user is logged in.

ServiceNow connector deployment guide 1.0.0.0

Integrating OKTA SSO With Liferay Portal Using SAML

1 : Installing SAML Plugin on Liferay Portal.

1.1 Download and Copy saml plugin war file to deploy folder (liferay.home/deploy)

If you do not have saml plugin war file.

1.1 Login to the Liferay portal as admin and go to the control panel
1.2 Click on apps and then purchased tab.
1.3 In purchased tab click on EE.
1.4 Search for SAML 2.0 and click on install.

2 : Creating Chicklet in OKTA For Liferay , We can create developer okta account for this trial.

2.1 Get the service provider url (liferay sp) . ex http://your domain or ip /c/portal/saml/acs
2.2  Create Okta Chicklet with following details
service provider url ex: http://your domain or ip /c/portal/saml/acs
Audience restriction ex : Liferay
Okta Metadata file : save it in xml and put it in the liferay.home/data/ directory

3: Creating keystore

Create keystore in the liferay.home/data/ directory using below command
keytool -genkey -keyalg RSA -alias Dinacs -keystore keystore.jks -storepass dinacs-validity 360           -keysize 2048

Enter the details and keep alias password as same as the keystore password.
It creates keystore.jks file in the liferay.home/data directory.

4:  Modify portal-ext.properties file

Navigate to liferay.home and open portal-ext.properties file .
Add below entries to the file and save it.

##
## SAML
##
# Enable SAML Plugin
saml.enabled=true
# Set the role to sp on the Service Provider side
saml.role=sp
# Set the SAML entity id, it matches the alias we used to setup the keystore
saml.entity.id=Dinacs
# The metadata location for Identity Provider
saml.metadata.paths=${liferay.home}/data/OktaMetadata.xml
#
# Keystore
#
# keystore type
saml.keystore.type=jks
# location of the keystore
saml.keystore.path=${liferay.home}/data/keystore.jks
# pwd for accessing the keystore
saml.keystore.password=dinacs
# pwd for accessing the certificate of the entity in the keystore
saml.keystore.credential.password[dinacs]=dinacs
#
# Service Provider
# the chicklet url from okta
saml.sp.default.idp.entity.id=http://www.okta.com/ – your idp url
saml.sp.sign.authn.request=true
saml.sp.assertion.signature.required=false
saml.sp.clock.skew=3000
saml.sp.session.keepalive.url=http://your ip or domain :8080/c/portal/saml/idp/keepalive
# Service Provider user attribute mappings
saml.sp.user.attribute.mappings=UserName=emailAddress\nFirstName=firstName\nLastName=lastName
#Set this to true to enable reminder queries that are used to help reset a user’s password.
users.reminder.queries.enabled=false
# auto generate screen names
users.screen.name.always.autogenerate=true

Step 5: Restart Server and Test SSO

Hit your liferay url and if you are not logged in then it will redirect you to the okta login page , after entering login credentials , Okta will redirect back to the liferay . User will be created in the liferay portal and will see it logged in.