What is Single Sign-On (SSO)?
Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. SSO eliminates further prompts for username/password when the user switches between applications during the same browser session. This helps to log user activities, monitoring user accounts, disabling user accounts when a user leaves an organization and centralized password management.
Enabling AEM author/publish for SP-initiated SSO
In this post, we look into the pre-requisites for enabling SSO with SAML 2.0 authentication for AEM author. These pre-requisites are based on the on-boarding process with PingFederate as IDP. But the process is broadly similar for other Identity Providers supporting SAML 2.0 standard. The same author configuration & process can be followed for publish as well. Normally, users login to AEM author/publish instances with credentials such as username/password provided by AEM admins. However, with AEM’s Adobe Granite SAML 2.0 Authentication Handler, users can log in with their organization credentials for seamless SSO experience.
What is an IDP/SP?
For the purposes of this post – Identity Provider (IDP) is PingFederate and Service Provider (SP) in the AEM author/publish the app.
Why SP-initiated login?
SAML protocol provides 2 types of login IDP-initiated and SP-initiated.
In IDP-initiated login, an organization assigns url to an author/publish applications (this url is also known as Vanity URL). IDP url can be in the form <appName>.sso.domain.com. Accessing this url in the browser triggers SSO login flow and returns SAML response to the browser creating a session for this user. However, this IDP url is not preferred because it does not allow bookmarking and not widely used by AEM developers. Moreover, IDP login is also considered as unsolicited login in some organizations.
Typically, a dev author url is in the form http://dev.cq.author.domain.com:4502. This url is well-known to AEM developers and used routinely to access the application. Accessing this url triggers SAML auth request that triggers SSO login flow which authenticates the user and returns SAML response, creating browser session for the user. This explicit SAML request/response is preferred by many organizations as it enables better audit tracing and SP application is in better control of the SAML configuration.
Process and Pre-requisites
1. Every organization has some form of SSO on-boarding process. The federated authentication is provided by teams that control and manage LDAP/AD user accounts. Figure out whom to contact to initiate SSO on-boarding process for your AEM author instance.
2. Assign an SP Entity ID for AEM author instance, eg http://dev.cq.author.domain.com:4502 (note: the SP Entity ID is the same as url in this case). Provide this EnityID to Ping admins (Entity ID is a unique ID that identifies author instance within IDP)
3. Provide Assertion Consumer Service (ACS) url for your AEM author application to Ping admins.
If you decide to apply security from the root “/” path, ACS url is http://dev.cq.author.domain.com:4502/saml_login
If you decide to apply security from “/content”, ACS url is http://dev.cq.author.domain.com:4502/content/saml_login
4. Ensure the ‘SP Profile’ option is enabled for AEM author instance in the PingFederate admin console.
5. Receive IDP certificate (usually with .crt file extension) and IDP metadata.xml file from PingFederate admins.
6. At this point, a PingFederate connection would have been created for your AEM author instance.
7. If the IDP certificate has .crt extension, then rename the file to .cer extension. This can be done simply on the command prompt. For example in windows, rename idp_cert.crt idp_cert.cer
8. From the IDP metadata.xml received, note down IDP Login & IDP Logout URLs.
For example, IDP Login url – https://federation.domain.com/idp/SSO.saml2
IDP Logout url – https://federation.domain.com/idp/logout
9. Let the Identity Provider know to receive the following SAML attributes Mail, FirstName, LastName
10.Request Identity Provider to configure user ID value in SAML’s Subject:NameId tag.
This helps in auto-provisioning users into the CRX repository.
The user ID, in this case, is a unique Identity that an organization identifies its users. The CRX repository uses the same user ID to uniquely identity AEM users. For example, If John Roberts is AEM developer then probably their user ID will be jroberts
11. Optionally request Identity Provider to configure groupMembership attributes values that this user belongs to.
In many organizations, every LDAP/AD user is a member of a certain group by default. AEM admins may want to leverage these groups instead of creating new ones in the CRX repository.
Summary:
Enabling SSO in AEM is not merely configuration changes, it is an interactive process with Identity Provider and includes the exchange of IDP/SP metadata. In the case of AEM author/publish applications, SP metadata is not generated automatically. This means AEM admins should be armed with pre-requisites to enable SSO with SAML 2.0 authentication. At a minimum SP Entity ID, Assertion Consumer Service url, login type (IDP-init or SP-init), required attributes in SAML response are to be agreed with Identity Provider. Once a profile connection is provisioned at IDP and metadata & certificate received, the AEM author instance can be configured.
Source: https://labs.tadigital.com/index.php/2017/10/08/saml-single-sign-on-sso-for-aem-authorpublish-part-1/
No comments:
Post a Comment
If you have any doubts or questions, please let us know.