SAML Integration on Publish Instances

In AEM6.x, we can configure SAML Authentication handler. Security Assertion Markup Language (SAML) is an XML-based open-standard data format for authentication and authorization with a third-party Service Provider.

To configure SAML on AEM, follow below mentioned steps:

Step1: Login to the publish instance with admin credentials.

URL: http://localhost:4503/crx/de/index.jsp

Step2: After login, navigate to Granite useradmin console with below URL.


Step3: Search for “admin” user and click on that it will open the admin user settings page.

Step4: Now search for “Create TrustStore” and click, it will prompt the “set TrustStore Password” window.  And give any password and save it.







Step5: Now click on “Manage TrustStore” in the same page, it will open the “TrustStore Management” window to upload the IDP CERTIFICATE.



Step6: Now click on the Select Certificate File, and upload the certificate and then click submit button.

Step7: Make a note of Alias name in “TrustStore Management” as shown below




Step8: Close the “TrustStore Management” window, and click on SAVE.

Step9: Now search for “authentication-service” in the Granite user admin console and click on that.

Step10: Now search for “Create KeyStore” and click on it. It will open the password create prompt window and give any password and save it.

Note: Make a note of this password because, we have to configure this password on SAML configs.







Step11: Now open the Felix Configuration Console to configure the SAML.


Step12: Now open the SAML Authentication Handler with clicking “+” to configure the SAML.


Step13: It will open the below console and configure the fields which is required and click on SAVE.











Note: Below Fields should be configured for SAML. Remaining Fields leave as it is.

  1. IDP URL ( this is provided by IDP)
  2. IDP Certificate Alias ( This is alias name, whatever we have noted from “TrustStore Management” )
  3. Service Provider Entity ID ( This is provided by IDP)
  4. Password of Key Store (This is, whatever we have created a password on authentication-service keystore password)
  5. Default Redirect ( This is based on requirement)

As per our configurations, below are the details of above.

  1. IDP URL: https://sso-int.i.daimler.com/idp/startSSO.ping?PartnerSpId=microsites-cms-dev

Note: this URL will change based on environment.

  1. IDP Certificate Alias : admin#1522924961184
  2. Service Provider Entity ID: microsites-cms-dev
  3. Password of Key Store:
  4. Default Redirect : /content/saml_login

Step14: Now search for “Referrer Filter” and click on edit icon to configure required fields.




  • Enable the Allow Empty
  • Mention the IDP DNS name in Allow Hosts as shown in below one and Save it.




Step15: Now search for “Apache Sling Authentication Service” and click on edit to uncheck the “Allow Anonymous Access” as shown below and save it.






Step16: Now open the Useradmin console


Step17: Search for “anonymous” user to remove the content & crx access from the permission tab.




Step18: Now SSH into publish instance through BASTION Server and then change to root mode.

Step19: Open the “/etc/apache2/httpd/conf.d/vhosts.conf” file and add the below lines in the file as shown below.

<VirtualHost *:80 *:8080>
ServerName localhost
ServerAlias publish-saml.local.host.com
DocumentRoot /var/www/html/cache
ErrorLog    "${APACHE_LOG_DIR}/error.log"
TransferLog "${APACHE_LOG_DIR}/access.log"
CustomLog   "${APACHE_LOG_DIR}/request.log" "combined"
CustomLog   "${APACHE_LOG_DIR}/responsetime.log" "responsetime"
## enable rewrite engine
RewriteEngine On
# logged to error log f.e. set to trace${8}
LogLevel alert rewrite:trace8
## include all global settings
Include conf.d/*.include
## include access rules
Include vhost.includes.d/access.include
Header set X-DEBUG "localpublish2-saml"
RewriteRule ^/$ http://localhost:4503/content/saml_login [P,QSA,NC,L]


Step20: Now restart the apache and test the SAML.

Step21: For testing , you can open  publish URL. So that it will redirect to login console.

Step22: Once we enter the credentials, it will open the page.


About The Author

Leave a Reply