- Andrew Kos
- Bill Burlein
- Bryan Williams
- Christian Vozar
- Jeff Brown
- John Kraus
- Joseph Mak
- Mark Daugherty
- Matt Van Bergen
- Melissa Geoffrion
- Michael Kang
- Michael Chan
- Michael Hodgdon
- Mike Motherway
- Molly McDaniel
- Nadia Maciulis
- Pat McLoughlin
- Paul Michelotti
- Puru Hemnani
- Rohit Srinath
- Ryan Lunka
- Tom Kelly
Configuring SAML in AEM 5.6
Monday, February 11, 2013
Included in Adobe Experience Manager 5.6 (Formally CQ5) is a new authentication handler that acts as a SAML service provider. It is included in the "Adobe Granite- SAML 2.0 Authentication Handler" bundle. In this post, I will show you how to configure it and show examples of files needed by the Identity Provider (IdP).
The OSGI configuration for the Authentication Handler contains all the settings needed to configure AEM for either IDP initiated login or HTTP Post Binding. Here I will show you the configuration for the HTTP POST Binding. The configuration parameters that need to be set are the IDP URL, IDP HTTP Redirect, Service Profvider Entity ID, UserID Attribute, Use Encryption, and NameIDPolicy Format. Optionally Autocreate CRX Users and the Group Membership and Add to Groups parameters could be used.
The IDP URL should be the URL for the profile that accepts a POST Binding on your IDP. In Shibboleth the default for this is /idp/profile/SAML2/POST/SSO. In this case, IDP HTTP Redirect should be false.
The Service Provider Entity ID should be set as a unique identifier (usually the url for the service provider) for this service provider.
The UserID Attribute is the saml2:Attribute that contains the username that the user will be logged into AEM as.
The NameIDPolicy Format is the NameID-format that you would like the IdP to return.
The Autocreate CRX Users option can be used to create users that don't already exist in CRX.
Add to Groups and Group Membership can be used in conjunction to add the user to groups that exist in CRX. Add to Groups must be true for this and Group Membership should be set to the saml2 attribute that contains the groups.
Next, the private key for the service provider and the public key for the IdP need to be added to the repository. Under /etc/key in the repository, create a new node called "saml". Inside this node add a new binary property called "private" for the private key for the service provider and add a binary property called "idp_cert" for the public certificate of the IdP.
The private key must be in PKCS #8 format. To convert a PEM encoded private key to PKCS #8 with openssl run use:
openssl pkcs8 -topk8 -inform PEM -outform DER -in in.key -nocrypt > pkcs8.key
Where in.key is the key that needs converting and pkcs8.key is the result.
On the IdP side, you are going to need a metadata file that contains the information for how the service provider and IdP are going to communicate. Below I have attached a sample that tells the IdP where POST the assertion back to.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://www.localhost.com"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <md:KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> Public Key </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4502/saml_login" index="1"/> </md:SPSSODescriptor> </md:EntityDescriptor>
And with that AEM 5.6 is setup to use a SAML IdP for single sign on.
- Invisible requirements within Business requirements
- Building a better Options Predicate
- Extensionless URLs with Adobe Experience Manager
- The Life of a Tester in Adobe CQ World!
- Limitations of the CQ Parsys Model and the Implementation of a Nested Paragraph System
- Using Apache FOP to generate a PDF document based on a form submission data
- Configuring SAML in AEM 5.6
- Why You Should Get the WCM Experts Involved Early