Configuring Liferay Authentication With Okta Using OpenId Connect (2024)

Liferay Sites

Liferay.com Help Center

Community

Marketplace

EN (US)

العربية-المملكة العربية السعودية
català-Espanya
中文-中国
nederlands-Nederland
suomi-Suomi
français-France
deutsch-Deutschland
magyar-Magyarország
日本語-日本
português-Brasil
español-España
svenska-Sverige

Skip To Footer Skip to Content

Account

Learn

Cloud Use Liferay's Cloud infrastructure to launch your solutions more quickly and securely. Commerce Increase orders with enriching product information, easy ordering tools, and product recommendations. Content Management System Create, publish, and manage content, pages, and multimedia across different channels faster. Development and Tooling Use out-of-the-box features and development tools to deliver solutions to users faster. Digital Asset Management Use Liferay's Cloud infrastructure to launch your solutions more quickly and securely. DXP Self-Hosted Installation, Maintenance, and Administration Deploy, configure, and maintain Liferay DXP on your own infrastructure. Integration Unify systems, applications, and data with a single platform. Personalization Deliver more personalized and relevant content through enhanced segmentation, AI-generated recommendations, and A/B testing. Platform Send email notifications, test content updates, deliver solutions across multiple channels, and more with out-of-the-box platform features. Search Save users time with personalized, integrated, and organized search results. Security Protect users, data, and solutions with a platform designed with security in mind. Sites Deliver customized pages and sites on any device or channel.

Analytics Cloud Understand your audience with integrated analytics for Liferay DXP. Commerce Launch modern B2B commerce experiences on Liferay DXP. DXP Transition from legacy systems and build digital experiences on a single powerful platform.

Liferay Cloud Enterprise PaaS tailored for Liferay Digital Experience Platform. Reference Documents and resources to further help implementation.

Prerequisites

Okta Dev account
Liferay DXP environment
A user who has administrative access Okta Admin Console
A user who has administrative access to Liferay’s Control Panel

Okta Configuration

Log in to Okta Dev and navigate to Applications → Add Application → Create App Integration.
Select OIDC - OpenID Connect, under Sign-in method, and Web Application, under Application type.
Enter Liferay DXP - OIDC as the app integration name.
For grant types, select Authorization Code and Refresh Token
Enter https://[your_instance_url]/c/portal/login/openidconnect for the sign-in redirect URIs.
Enter https://[your_instance_url] for the sign-out redirect URIs.
Under assignments, select Skip group assignment for now.
Click Save.
On the Assignments tab, assign users to this application.

Note

Make sure to assign yourself and provision your own user account so that you will still be able to log in as the Liferay administrator.

Obtaining endpoint URLs

In your Okta Dev account, go to the side panel and navigate to Security → API.
Under the “Authorization Servers” tab, locate the server named default and click on it to edit its configuration.

Click on the “Metadata URI” link, which typically looks like this: https://dev-123456.okta.com/oauth2/default/.well-known/oauth-authorization-server

 issuer: "https://dev-123456.okta.com/oauth2/default" authorization_endpoint: "https://dev-123456.okta.com/oauth2/default/v1/authorize" token_endpoint: "https://dev-123456.okta.com/oauth2/default/v1/token" registration_endpoint: "https://dev-123456.okta.com/oauth2/v1/clients" jwks_uri: "https://dev-123456.okta.com/oauth2/default/v1/keys"

This will give you the necessary URLs, with the exception of /userinfo endpoint. You can construct that endpoint by combining your base URL with the Auth Server name. For example: https://dev-123456.okta.com/oauth2/default/v1/userinfo.

Liferay OIDC Configuration

Note

Your installation must have a configured connection to a mail server to send email notifications. Alternatively, you can disable the feature Require strangers to verify their email address. See Tips and Troubleshooting for more information.

On your DXP instance, navigate to Global Menu → Control Panel → Instance Settings → Security → SSO.
Go to OpenID Connect Provider Connection tab and add a new connection entry.

Fill in the fields with the data you find at the endpoint URLs, as shown in the table below.

Field	Data
Provider Name	Okta OIDC
Scopes	`scopes_supported`
Authorization Endpoint	`authorization_endpoint` url
Issuer URL	`issuer` url
JWKS URI	`jwks_uri` url
Subject Types	`subject_types_supported`
Token Endpoint	`token_endpoint` url
User Information Endpoint	Follow step 4 from obtaining endpoint URLs
OpenID Connect Client ID	Under your application’s General tab in Okta
OpenID Connect Client Secret	Under your application’s General tab in Okta

Once that is done, OpenID Connect needs to be enabled. To enable the OpenId Connect:

Navigate to Global Menu → Control Panel → Configuration → Instance Settings.
See Also
Okta and Firebox Mobile VPN with IPSec Integration Guide
Click on SSO under the security section.
Go to the OpenID Connect tab, click the Enabled checkbox and click Save.

Validation

Start your Liferay DXP instance
Click on the Sign In button and choose OpenId Connect.
Choose Client to Okta OIDC from the list.
Sign in with your Okta account.

Conclusion

Congratulations! You have successfully completed this Solution Tutorial.

Tips and Troubleshooting

Sign-in and Sign-out Redirect URIs

If you encounter an error like the image below, verify that your sign-in and sign-out redirect URIs are configured correctly in Okta with the appropriate path and Hypertext Transfer Protocol (HTTP or HTTPS). You can find them in your Dev Okta account by navigating to the application you created → General tab → General Setting → Login section.

Verify email address

By default, new users must verify their email address upon first login. To disable this requirement, in your Liferay DXP unselect the “Require strangers to verify their email address” checkbox. Navigate to Control Panel → Instance Settings → Platform → User Authentication and unselect the checkbox. However, if you want to keep email validation enabled, a configured connection to a mail server is necessary for your installation.