Enabling SSO in AEM author – SAML configuration
This is a continuation of Part 1 blog post which discussed process and pre-requisites to enable SSO in AEM author application.
This post discusses only AEM (SP) configuration details.
Following are the Service Provider (SP) details communicated to IDP admin
Entity ID: http://dev.cq.author.domain.com:4502
Assertion Consumer Service url: /saml_login
Login type: SP initiated
SAML attributes: Subject:NameId (configured with userID value), Mail, FirstName, LastName, GroupMembership (optional)
Following are the Identity Provider (IDP) details received by AEM admin/developer
Create a profile connection for AEM author application in IDP, such as PingFederate or Okta
Provide an IDP certificate for SAML auth.
Provide IDP metadata.xml for Login and Logout url details.
1. Configure AEM TrustStore
· Navigate to: /libs/granite/security/content/useradmin.html
· Select any user from the list because TrustStore is global to AEM.
· Under “Account settings” click on “Create TrustStore”
· Provide a password for the TrustStore”. Note down this password to be used later.
· Click on “Manage TrustStore”.
· Under “Add Certificate from CER file” Upload the IDP certificate and uncheck “Map certificate to the user”
· This is the same certificate received from IDP admin. Ensure this certificate is .cer extension
· Note down certificate alias to be used later.Figure 1: IDP certificate alias for uploaded .cer file.
2. Configure AEM KeyStore
· Navigate to: /libs/granite/security/content/useradmin.html
· Select “authentication-service”
· Under “Account settings” click on “Create KeyStore”
· Create KeyStore by supplying the password. Provide the same password as in Step 1.
3. Configure Referrer Filter
· Configure IDP host at: /system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter
· Specify IDP host without protocol, for example, federation.domain.com (check IDP metadata.xml)
· Check the “Allow Empty” checkbox.
Figure 2: Referrer Filter configuration in localhost AEM author.
4. Configure SAML 2.0 Authentication Handler
Navigate to AEM configuration console (/system/console/configMgr)
Search for “Adobe Granite SAML 2.0 Authentication Handler”
Update following SAML settings:
1. Path: /
“/” enables entire AEM for SSO except for admin interfaces.
if “/content” is entered any url under /content is SSO enabled.
2. Service Ranking: keep the default
3. IDP URL: enter IDP login url
for example, https://federation.domain.com/idp/SSO.saml2 (check IDP metadata.xml)
4. IDP Certificate: Enter the alias name that was generated in Step 1
5. IDP HTTP Redirect: Keep this unchecked
6. Service Provider Entity ID: This should match with the SP Unique value mentioned in IDP
for example, development author instance could be assigned unique ID http://dev.cq.author.domain.com:4502
7. SP Private Key Alias: This is not mandatory, leave blank
8. Password of Key Store: Enter the password used in Step 1
9. Default Redirect: /
10.UserID Attribute: Keep this blank
11.SAML tag Subject:NameId contains userID. Leave this setting blank to use the value from SAML response userID
12.Use Encryption: Keep this unchecked
13.Autocreate CRX Users: Keep this checked
This setting auto-provisions authenticated users in AEM.
When a user is successfully authenticated their profile is created in the CRX repository.
14. Add to Groups: Keep this checked
The authenticated user is automatically added to default group (see below)
15.Group Membership: keep the default (groupMembership)
If SAML response contains groupMembership values (optional SAML attribute) then those group names are used by AEM.
16.Default Groups: contributor
This is the group name added by AEM admin that user is automatically added to after SAML authentication
17.NameID Policy Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Ensure datatype of Subject:NameId configured in IDP matches this value.
If Subject:NameId is configured with SAML 2.0 datatype then use the same value in this setting.
18.Synchronized Attributes:
Mail=profile/email
FirstName=profile/givenName
LastName=profile/familyName
These are the additional attributes created in the user profile, auto-provisioned after successful authentication.
19. Handle logout: Keep checked
20.Logout URL: Enter IDP logout url (check IDP metadata.xml)
for example, https://federation.domain.com/idp/logout
Figure 3: SAML configuration settings in localhost AEM author.
5. Configure logging for SSO
· Navigate to AEM system console at: /system/console/configMgr
· Search for and click on the entry called “Apache Sling Logging Logger Configuration”
· Create a logger with the following configuration
Log Level: Info or debug (set to debug for testing)
Log File: logs/saml.log
Logger: com.adobe.granite.auth.saml
Figure 4: SSO logging configuration in localhost AEM author.
6. Check following settings on the IDP
· Assertion Consumer Service (ACS) url is the endpoint in AEM that consumes SAML response. Check this is specified correctly in IDP.
In Step 4.1, if path: / then /saml_login is ACS endpoint.
If the path: /content then /content/saml_login is ACS endpoint.
· In Step 4.17, SAML attributes are case sensitive. Check they match with the same case in IDP.
· If for some reason IDP server is down and users unable to login to AEM, it is always possible to login directly into the CRX repository. This backdoor entry can be used to enable/disable SAML SSO.
· To test SAML SSO integration between SP and IDP, there are several browser plugins such as Firefox SAML Tracer to check requests and responses. Figure 5: SAML Tracer plugin showing auth request generated from localhost AEM author.
Summary:
SAML authentication is a 2-way communication between IDP and SP. The on-boarding process varies with every organization but ensuring essential details such as EntityID, ACS url, SAML attributes, IDP certificate, and metadata are in place, streamlines SSO integration into an iterative and manageable process. Source: https://labs.tadigital.com/index.php/2017/10/10/saml-single-sign-on-sso-for-aem-authorpublish-part-2/
No comments:
Post a Comment
If you have any doubts or questions, please let us know.