SAML Integration with AEM
SAML (Security Assertion Markup Language) is a key technology through which we can achieve SSO (Single Sign On).
In Adobe Experience Manager (AEM) 6.x, a SAML authentication handler is provided by default.
How to configure SAML in AEM?
There are some simple steps through which we can configure SAML in AEM
- Go to the AEM Home → Tools → Security → click on Trust Store. As shown below –
- Click on Create TrustStore:- It will ask you for a password, So put a password of your choice.
Now, Upload your certificate *.cer file here.
Here I have not shown certificate details and alias.
Note: Copy the Alias field value it is required in Authentication Handler configuration for “IDP Certificate Alias” property.
- Now go to AEM home → Tools → Securities → Users and search for “authentication-service” user.
- Open properties of it. Click on KeyStore Tab. Click on Create KeyStore and provide any password and retype that password. Note down this password, it will be used later.
- Go to the /system/console/configMgr and search for
“Adobe Granite SAML 2.0 Authentication Handler” Add configuration as shown below-
Here is the list of properties (For Reference) which needs to be updated.
| Path | / |
| Service Ranking | <It should be much height so that it will have maximum priority for example 5033> |
| IDP URL | Client IDP URL |
| IDP Certificate Alias | This is the value you have copied earlier after adding the .cer file. |
| Service Provider Entity ID | Entity Id of your service Provider. |
| Password of Key Store | Add Key store password |
| Default Redirect | What would be the redirect URL once you signed in successfully from your IDP |
| Use Encryption | Uncheck |
| Autocreate CRX Users | Uncheck |
Note: Please use your environment specific values.
- In Configuration Console Search for “Authentication Service”. Add a new configuration as shown below-
Here is the list of properties which needs to be updated.
| Allow Anonymous Access | Uncheck |
| Authentication Requirements | +/libs/granite/oauth/content/authorization -/libs/granite/core/content/login -/apps/granite/core/content/login -/etc/clientlibs/granite -/etc.clientlibs -/content/saml-tutorial/us/en/login-page -/libs/granite -/home/users/U/U4Q8M9hoohm4Q11CHML (anonymous User permission) -/crx/de |
Note: for -/home/users/U/U4Q8M9hoohm4Q11CHML entry please check the Anonymous user id. It may be different for different AEM instances.
- Give “read” permission to anonymous user for each URL that exists in the “Authentication Requirements” Field in the “Sling Authentication Service”.
- In Configuration Console Search for “Sling Referrer Filter”. Add required allowed hosts/ Regexp Host as shown below:
Here is the list of properties which needs to be updated.
| Allow Empty | Uncheck |
| Allow Hosts | Add all the host entries which are used for SAML authentication. |
| Allow Regexp Host | Allow all all the Hosts here |
- Please add the filter in the dispatcher filter.
/041 { /type “allow” /method “GET” /path “/content/saml_login” }
/042 { /type “allow” /method “POST” /path “/content/saml_login” }
@Reference
Recent Comments