authenticationliferaysingle-sign-onliferay-7siteminder

Liferay 7 secondary instance Siteminder SSO


We are hoping to use multi-tenancy feature of Liferay for a new implementation.

In the past versions of Liferay (prior to 7), we have been able to integrate and protect each instance of Liferay separately using Siteminder (under Control Panel -> Portal Settings -> Authentication -> Siteminder).

It seems that with Liferay 7, this is no longer possible. The Siteminder SSO configuration has been moved to with the default instance only(?) by using the token based SSO and ability specify the SSO auth request header. There does not seem to be any way to do the configuration for the secondary instances in the control panel.

Is anyone using Siteminder SSO with Liferay 7? If so, has the token based SSO worked for the default instance (ex. abc.com)? Has anyone used this for the secondary instances (ex. xyz.com)?

Any insight is much appreciated! Thanks


Solution

  • In this helps someone. I heard below from Liferay. I will be testing and will post an update:

    Token Based SSO has been elevated to a system setting in Liferay DXP. This means that when the feature is enabled it is available for every instance. There is no longer an option in Liferay itself to provide instance-level support for Token Based SSO. The SSO is enabled/disabled for every instance because it is set at the system level.

    Liferay DXP only cares that a token has been provided. What this means is that whether the token is for the right instance is up to the authentication servers being used. It is conceptually possible for each instance to be able to use its own token. This can be tested by seeing if the authentication servers lead to the right instances when they provide their tokens. If that does not work then modifying the authentication servers to ensure that they are providing the right tokens to be directed to the right instance may be the next best step.

    In regards to whether or not each instance can be individually protected, because Token Based SSO is enabled at the system level if instance level authentication is also enabled then both authentications would be hit during the log-in process. If Token Based SSO is set at the default security feature and the instance-level authentication as the secondary, then each instance can be individually protected.