CMS, Enterprise Solutions

SAML Single Sign-On (SSO) for AEM author/publish – Part 2

Enabling SSO in AEM author – SAML configuration

This is a continuation of Part 1 blog post which discussed process and pre-requisites to enable SSO in AEM author application.
This post discusses only AEM (SP) configuration details.

Following are the Service Provider (SP) details communicated to IDP admin

Entity ID: http://dev.cq.author.domain.com:4502
Assertion Consumer Service url: /saml_login
Login type: SP initiated
SAML attributes: Subject:NameId (configured with userID value)Mail, FirstName, LastName, GroupMembership (optional)

Following are the Identity Provider (IDP) details received by AEM admin/developer

Create profile connection for AEM author application in IDP, such as PingFederate or Okta
Provide IDP certificate for SAML auth.
Provide IDP metadata.xml  for Login and Logout url details.

1. Configure AEM TrustStore
  • Navigate to: /libs/granite/security/content/useradmin.html
  • Select any user from the list, because TrustStore is global to AEM.
  • Under “Account settings” click on “Create TrustStore”
  • Provide a password for the TrustStore”. Note down this password to be used later.
  • Click on “Manage TrustStore”.
  • Under “Add Certificate from CER file” Upload the IDP certificate and uncheck “Map certificate to user”
  • This is the same certificate received from IDP admin. Ensure this certificate is .cer extension
  • Note down certificate alias to be used later.Figure 1: IDP certificate alias for uploaded .cer file.

2. Configure AEM KeyStore
  • Navigate to: /libs/granite/security/content/useradmin.html
  • Select “authentication-service”
  • Under “Account settings” click on “Create KeyStore”
  • Create KeyStore by supplying the password. Provide the same password as in Step 1.
3. Configure Referrer Filter
  • Configure IDP host at: /system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter
  • Specify IDP host without protocol, for example federation.domain.com (check IDP metadata.xml)
  • Check “Allow Empty” checkbox.

Figure 2: Referrer Filter configuration in localhost AEM author.

4. Configure SAML 2.0 Authentication Handler

Navigate to AEM configuration console (/system/console/configMgr)
Search for “Adobe Granite SAML 2.0 Authentication Handler”
Update following SAML settings:

  1. Path: /
    “/” enables entire AEM for SSO except admin interfaces.
    if “/content” is entered any url under /content is SSO enabled.
  2. Service Ranking: keep default
  3. IDP URL: enter IDP login url
    for example, https://federation.domain.com/idp/SSO.saml2 (check IDP metadata.xml)
  4. IDP certificate: Enter the alias name that was generated in Step 1
  5. IDP HTTP Redirect: Keep this unchecked
  6. Service Provider Entity ID: This should match with the SP Unique value mentioned in IDP
    for example, development author instance could be assigned unique ID http://dev.cq.author.domain.com:4502
  7. SP Private Key Alias: This is not mandatory, leave blank
  8. Password of Key Store: Enter the password used in Step 1
  9. Default Redirect: /
  10. UserID Attribute: Keep this blank
  11. SAML tag Subject:NameId  contains userID. Leave this setting blank to use value from SAML response userID
  12. Use Encryption: Keep this unchecked
  13. Autocreate CRX Users: Keep this checked
    This setting auto-provisions authenticated users in AEM.
    When a user is successfully authenticated their profile is created in CRX repository.
  14. Add to Groups: Keep this checked
    Authenticated user is automatically added to default group (see below)
  15. Group Membership: keep default (groupMembership)
    If SAML response contains groupMembership values (optional SAML attribute) then those group names are used by AEM.
  16. Default Groups: contributor
    This is the group name added by AEM admin that user is automatically added to after SAML authentication
  17. NameID Policy Format :  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
                          Ensure datatype of Subject:NameId configured in IDP matches this value.
    If Subject:NameId is configured with SAML 2.0 datatype then use the same value in this setting.
  18. Synchronized Attributes:
    Mail=profile/email
    FirstName=profile/givenName
    LastName=profile/familyName
    These are the additional attributes created in user profile, auto-provisioned after successful authentication.
  19. Handle logout: Keep checked
  20. Logout URL: Enter IDP logout url (check IDP metadata.xml)
    for example, https://federation.domain.com/idp/logout

Figure 3: SAML configuration settings in localhost AEM author.

5. Configure logging for SSO
  • Navigate to AEM system console at: /system/console/configMgr
  • Search for and click on the entry called “Apache Sling Logging Logger Configuration”
  • Create a logger with the following configuration
    Log Level: Info or debug (set to debug for testing)
    Log File: logs/saml.log
    Logger: com.adobe.granite.auth.saml

Figure 4: SSO logging configuration in localhost AEM author.

6. Check following settings on the IDP
  • Assertion Consumer Service (ACS) url is the endpoint in AEM that consumes SAML response. Check this is specified correctly in IDP.
    In Step 4.1, if path: / then /saml_login is ACS endpoint.
    If the path: /content then /content/saml_login is ACS endpoint.
  • In Step 4.17, SAML attributes are case sessitive. Check they match with same case in IDP.
  • If for some reason IDP server is down and users unable to login to AEM, it is always possible to login directly into CRX repository. This backdoor entry can be used to enable/disable SAML SSO.
  • To test SAML SSO integration between SP and IDP, there are several browser plugins such as Firefox SAML Tracer to check request and response.Figure 5: SAML Tracer plugin showing auth request generated from localhost AEM author.

Summary

SAML authentication is a 2-way communication between IDP and SP. The on-boarding process varies with every organisation but ensuring essential details such as EntityID, ACS url, SAML attributes, IDP certificate and metadata are in place, streamlines SSO integration into an iterative and manageable process.

Thanks to Abhishek Goud at TA Digital for providing configuration screenshots from AEM localhost setup.

About The Author