We are implementing OpenID Connect authentication in Liferay DXP 2026.Q1 using Red Hat SSO / Keycloak integrated with Active Directory.
Current scenario:
-
Existing users authenticate using LDAP and screenName (loginName from AD).
-
OIDC authentication is already working correctly for existing Liferay users.
-
The OIDC provider is configured with:
-
matcherField = screenName
-
scopes = openid email profile
-
-
The token and userinfo endpoints are working correctly.
Problem:
When a new user authenticates through SSO and does not yet exist in Liferay, the following error is generated:
com.liferay.portal.security.sso.openid.connect.internal.exception.StrangersNotAllowedException: Company 20101 does not allow strangers
We enabled:
- company.security.strangers=true
using OSGi configuration:
com.liferay.portal.security.auth.configuration.CompanyServiceConfiguration.config
After verifying through Gogo Shell, the configuration is correctly loaded.
However, the error continued until we enabled the public “Create Account” option in Liferay. Once “Create Account” was enabled, OIDC started creating new users automatically.
This behavior suggests that in Liferay DXP 2026.Q1 the OIDC auto-provisioning mechanism depends on the same validation used for public self-registration.
Our concern:
We do NOT want to allow public/manual account creation from the login page. We only want:
-
automatic user provisioning through trusted SSO authentication
-
no public signup capability
Current workaround:
-
Keep company.security.strangers=true
-
Hide the “Create Account” button from the Login widget/UI
Questions:
-
Is there another supported configuration to allow automatic OIDC user creation without enabling public self-registration?
-
Is there an OIDC-specific provisioning flag available in DXP 2026.Q1?
-
What is the recommended enterprise approach for enabling SSO auto-provisioning while preventing public account creation?
