In this post, I would like to share with you how to integrate SAML in AEM 6.1 in order to get SSO ready for your site. First I’ll walk you through the main concepts. Next, I’ll show what to change in AEM. So the next time you log in to the instance like an Author, the site will redirect you to the Google Login.
Understanding what is SSO and SAML.
Single sign-on (SSO) is a session and user authentication service, that allows the user to log in on the site one time, giving access maybe by name and password, in order to access multiple applications. One great example that shows the power of this, is the Google ecosystem, which gives access to all of their enterprise cloud applications through a single login. If the user wants to check the email, the system will ask the user to login using his credentials, once the user is logged, the system grants the rights and he can proceed to check his emails but also create documents in Google Drive and more. The way that Google exchange authentication and authorization data between parties, in particular, between an identity provider and a service provider are by using SAML(Security Assertion Markup Language), an XML-based, open-standard of the OASIS Security Services Technical Committee.
In case you need to enable SSL you can check this page to get more info:
https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/config-ssl.html
The next image helps to clarify the communication between an Identity Provider, a Service Provider, and the user.
Now it is time to focus on AEM, I will show you the steps I went through in order to integrate SAML with AEM.
Step 1: Create your App and Users in Google Admin Console
Go to admin.google.com and login with an administrator email of your company.
Then click on the Apps section.
Then click on the SAML apps section.
Here you can see all the SAML Apps created for you, let’s create one by click on the blue button with an additional symbol. Below are the images that represent this process.
After clicking it a pop-up appears with the title “Enable SSO for SAML Application” at the bottom of the pop there is another option called “SETUP MY OWN CUSTOM APP” click.
5. Start to complete the steps.
Here google generates your IDP and Certificate that will be using later, download it
Then complete the Service Provider with your data.
And in the last step, after completing the attributes of basic and contact information, take special care of the AEM attribute which will be mapping by SsoLogin called aemUserName:
The last thing to configure inside the Google Admin Console is the creation of users. This user needs to be created here and inside the AEM instance in order to map the data.
Go to the Google Admin Console and click on the left menu, then Users, complete the data and you will create something like this image shows:
The value of SsoLogin must be equal to the value of the User ID in the AEM User.
Step 2: Creating Users in AEM
Follow Adobe instructions of this page:
https://docs.adobe.com/docs/en/aem/6-1/administer/security/security.html.
For this example, we make the user part of the Administrators and Authors groups.
Step 3: Configuring IDP TrustStore
Remember we generate the “.pem” Google Certificate while we were creating the SAML App in the Google Admin Console. Now it’s time to use it in AEM.
In your instance, under the User section like the step before. Search for the user called “authentication-service” and edit it. Create a TrustStore by clicking Create TrustStore under Account Settings with a password, press saves and click in “Manage TrustStore”, this pop-up is shown:
Select the Certificate File (“.pem”) and then Submit. A new row is created, with some certificate information. Keep the generated Alias in mind because we will use it in the future.
4) Configure SAML handler in the CRX
Create an OSGI configuration, inside it creates a node with these properties:
For more info go to:
https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/configuring-osgi.html
https://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html
5) Allow Google as a Referrer Filter
The referrer filter service is an OSGi service that allows you to configure:
which HTTP methods should be filtered
whether an empty referrer header is allowed
a whitelist of servers to be allowed in addition to the server host.
IDP upon successful authentication sends the SAML Response to the Service Provider through the URL already provided to the IdP. Now, the URL of the IDP which does the POST will need to be added to the Sling Referrer filter for the AEM to accept this request.
This picture shows the configuration in the Adobe Experience Manager Web Console Configuration (../system/console/configMgr):
And this is how it looks in CRX:
For more info about Referrer Filter go to:
https://docs.adobe.com/docs/en/aem/6-1/author/authoring-mobile-apps/setting-your-referrer-filter-to-allow-empty.html
So now every time you want to access your site, the system redirects you to Google Login if you did not do it before. Otherwise, you access the site directly and if you want to logout the system will redirect you to the Google login page.
No comments:
Post a Comment
If you have any doubts or questions, please let us know.