Goal

AEM provides support for the SAML 2.0 Authentication Request and acts as a SAML service provider. This article provides a sample for installing and setting up your local testing to achieve web Single Sign-on across or within organizational boundaries.

See also the online product documentation for the SAML Authentication Handler.

Software used for the setup

The binaries used are mentioned below. You can use the same or an equivalent.

Software Version Downloaded from
Shibboleth IDP 2.4.0 http://shibboleth.net/downloads/identity-provider/latest/
Tomcat (App server for IDP) apache-tomcat-6.0.37 http://tomcat.apache.org/download-60.cgi
OpenDS (LDAP Server) OpenDS-2.2.1 https://opends.java.net/public/downloads_index.html
JDK 1.6.0_26
AEM 5.6

Installation and configuration

Install and configure OpenDS LDAP

Follow the installation instructions from OpenDS. During installation, choose to load test data to avoid user creation. Do not forget the admin password provide during the installation. The screenshot below shows the option selected during installation.

Ldap Consolidated

Note:

During integration with AEM, I used the business category property of LDAP to identify the group that the user belongs to.  

User Manage

Install Shibboleth IDP

Unzip the downloaded (shibboleth-identityprovider-2.4.0-bin.zip) binary and run the install.bat file. The installation creates the IdP's entity ID, initial metadata, a basic set of IdP configuration files and a key pair of self-signed certificate used for signing/encryption.

Idp Installation

Install and configure Tomcat

1. Unzip apache-tomcat-6.0.37-windows-x64.zip into any directory (for example, C:\demo\appserver\apache-tomcat-6.0.37-windows-x64).

2. Create an SSL self-signed certificate.

Tomcat Key

3. Apply the certificate to tomcat <TOMCAT_HOME>/conf/server.xml.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" 
sslProtocol="TLS" SSLEngine="on" 
SSLCertificateFile="C:/demo/appserver/apache-tomcat-6.0.37-windows-x64/apache-tomcat-6.0.37/cert/tomcatcert.pem" 
SSLCertificateKeyFile="C:/demo/appserver/apache-tomcat-6.0.37-windows-x64/apache-tomcat-6.0.37/cert/tomcatkey.pem" 
SSLPassword="password" />

4.  Copy "idp.war" from <SAML_IDP_HOME>/war/idp.war to <TOMCAT_HOME>/webapps

5.  Create the directory <TOMCAT_HOME>/endorsed and copy the .jar files included in the IdP source endorsed directory into the newly created directory.

6.  Quick test: Accessing https://localhost:8443/idp/profile/Status returns OK.

Configure Shibboleth IDP

1. Modify <SAML_IDP_HOME>/conf/idp-metadata.xml to make sure all the location attribute points to idp app on tomcat 8443

Location

2.  Modify <SAML_IDP_HOME>/conf/attribute-resolver.xml to add definition of attribute and LDAP connect string

Attribute Resolver

3.  Modify <SAML_IDP_HOME>/conf/handler.xml to remove all the entries for authentication except "UsernamePassword" and "PreviousSession."

Login

4.  Modify <SAML_IDP_HOME>/conf/logging.xml for detail debug trace.

IDP Debugging

5.  Modify <SAML_IDP_HOME>/conf/login.config.

Ldap Config

6.  Modify <SAML_IDP_HOME>/conf/relying-party.xml

RelayingParty

7.  Modify /conf/attribute-filter.xml to release the attribute UID and group.  

Attribute-Filter

8.  Add the following metadata file at <SAML_IDP_HOME>/metadata/adobecq.xml.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.blogsaml.com">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SPInfo">
        <ds:X509Data>
          <ds:X509Certificate>
MIIEdzCCA1+gAwIBAgIJAPswGGW+b631MA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExDjAMBgNVBAcTBUFjdG9uMQ4wDAYDVQQKEwVB
ZG9iZTESMBAGA1UECxMJTWFya2V0aW5nMQ8wDQYDVQQDEwZIYXNzYW4xIjAgBgkq
hkiG9w0BCQEWE3NhbXBsZUBibG9nc2FtbC5jb20wHhcNMTQwNTIzMTkzODI1WhcN
MTcwNTIyMTkzODI1WjCBgzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYD
VQQHEwVBY3RvbjEOMAwGA1UEChMFQWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEP
MA0GA1UEAxMGSGFzc2FuMSIwIAYJKoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsW8NAHsIvl4EdEu0
0eZHuSYOAFLDZa0EQzf5+QDE179uHkqFIYpgdSJO3qj3HNKqlU/vnZNhQBJ2tRrc
BjI7pWQO/G9f+7pQKke9QVU88IDnmmGknlCTiaKLv4p68XHR4AeTI2tfulYpURa+
V5onIxXoyXqubrSxTb0zWVZy9iZmpPA2gCkH3Yzi/TM+yxz5A7q/Vh4pYm3+xqQS
gb1h5CFpA3YWlfSw2ONvNKlx9vJjfC+UCFxzNzbEF7f5u/c2zdKs72b70W8CnwTg
ny+C0qEDLKNYStVag8AUau9SmyXoKSShvHfZOGNW0ad1n44dD9TLCTKTpG1DloWI
yugtzwIDAQABo4HrMIHoMB0GA1UdDgQWBBT6Ve57XbEy+G+EzQTE+o8rzEiimzCB
uAYDVR0jBIGwMIGtgBT6Ve57XbEy+G+EzQTE+o8rzEiim6GBiaSBhjCBgzELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYDVQQHEwVBY3RvbjEOMAwGA1UEChMF
QWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEPMA0GA1UEAxMGSGFzc2FuMSIwIAYJ
KoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwuY29tggkA+zAYZb5vrfUwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATJi8KCGnNM6lVX8x+GBhm3q0VdF+
VIAvYXJ4TqP3DGSUFr2ETt187cQ3ZtJsU+U5mQ8NX6DRJ7QVZjKPe/6vRltVlsvR
z+b8vjXlWVWo6Zjcd96MQibESEutzLlwfQBq3A3azzqUmtEpA2woXzhV5XXvAsqt
HsPYgcM9mZNO+FS3pDkOEdfyQuG4nUa0s2jx/gIYtqcMJqTK5d3c1nAaUhLEVuYr
Upm6t+eL0/Yw4hrTjP3kEQO6g5ABsv9ew7iPs7G1RMm5BJErHyAHvgAeP/NZD/H6
C4fnnHXKhR7wbpxu9VipDIXQBmblPSvWGak+KhsPiQucvOvf2ksVtxoyLQ==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:6502/saml_login" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Configure AEM

1.  Install AEM following http://dev.day.com/docs/en/cq/current/deploying/installing_cq.html.

2.  Under /etc/key in the repository, create a node called "saml". Inside this node, add a new binary property called  "idp_cert" for the public certificate of the IdP.  That is, upload the file from <SAML_IDP_HOME>/credentials/idp.crt.

SAMLKey

3.  Configure Authentication Handler.

AEM

4.  Configure ReferrerFilter.

ReffererFilter

Verification

1.  Making a request to AEM at http://<host>:<port>/  redirects to IDP login page.

Login_home

2.  Login as user.2 with password as "password" takes you to the AEM home page. See the snapshot of saml tracker response & crx automatic user creation below:

SAMLResponse
User Created at crx

Enhancement with AEM6+

With AEM6 Sp1 onward, added support for

  • Single sign-off flow capability (Logout)
  • Synchronize Attributes
  • Configurable default group

Below section provides update required in above configuration demo for local testing of logout and synchronize of mail attribute.

Configuration updates in Shibboleth IDP

1.  Modify <SAML_IDP_HOME>/conf/attribute-filter.xml & <SAML_IDP_HOME>/conf/attribute-resolver.xml to release the attribute mail

Release_mail

2.  Modify metadata file at <SAML_IDP_HOME>/metadata/adobecq.xml to include SingleSignoutService

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.blogsaml.com">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SPInfo">
        <ds:X509Data>
          <ds:X509Certificate>
MIIEdzCCA1+gAwIBAgIJAPswGGW+b631MA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExDjAMBgNVBAcTBUFjdG9uMQ4wDAYDVQQKEwVB
ZG9iZTESMBAGA1UECxMJTWFya2V0aW5nMQ8wDQYDVQQDEwZIYXNzYW4xIjAgBgkq
hkiG9w0BCQEWE3NhbXBsZUBibG9nc2FtbC5jb20wHhcNMTQwNTIzMTkzODI1WhcN
MTcwNTIyMTkzODI1WjCBgzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYD
VQQHEwVBY3RvbjEOMAwGA1UEChMFQWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEP
MA0GA1UEAxMGSGFzc2FuMSIwIAYJKoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsW8NAHsIvl4EdEu0
0eZHuSYOAFLDZa0EQzf5+QDE179uHkqFIYpgdSJO3qj3HNKqlU/vnZNhQBJ2tRrc
BjI7pWQO/G9f+7pQKke9QVU88IDnmmGknlCTiaKLv4p68XHR4AeTI2tfulYpURa+
V5onIxXoyXqubrSxTb0zWVZy9iZmpPA2gCkH3Yzi/TM+yxz5A7q/Vh4pYm3+xqQS
gb1h5CFpA3YWlfSw2ONvNKlx9vJjfC+UCFxzNzbEF7f5u/c2zdKs72b70W8CnwTg
ny+C0qEDLKNYStVag8AUau9SmyXoKSShvHfZOGNW0ad1n44dD9TLCTKTpG1DloWI
yugtzwIDAQABo4HrMIHoMB0GA1UdDgQWBBT6Ve57XbEy+G+EzQTE+o8rzEiimzCB
uAYDVR0jBIGwMIGtgBT6Ve57XbEy+G+EzQTE+o8rzEiim6GBiaSBhjCBgzELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYDVQQHEwVBY3RvbjEOMAwGA1UEChMF
QWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEPMA0GA1UEAxMGSGFzc2FuMSIwIAYJ
KoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwuY29tggkA+zAYZb5vrfUwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATJi8KCGnNM6lVX8x+GBhm3q0VdF+
VIAvYXJ4TqP3DGSUFr2ETt187cQ3ZtJsU+U5mQ8NX6DRJ7QVZjKPe/6vRltVlsvR
z+b8vjXlWVWo6Zjcd96MQibESEutzLlwfQBq3A3azzqUmtEpA2woXzhV5XXvAsqt
HsPYgcM9mZNO+FS3pDkOEdfyQuG4nUa0s2jx/gIYtqcMJqTK5d3c1nAaUhLEVuYr
Upm6t+eL0/Yw4hrTjP3kEQO6g5ABsv9ew7iPs7G1RMm5BJErHyAHvgAeP/NZD/H6
C4fnnHXKhR7wbpxu9VipDIXQBmblPSvWGak+KhsPiQucvOvf2ksVtxoyLQ==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:6502/saml_login" index="1"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.blogsaml.com:8443/idp/Authn/UserPassword"/>

  </md:SPSSODescriptor>
</md:EntityDescriptor>

Configuration updates in AEM

1.  Under /etc/key/saml in the repository add a new binary property called "private" containing key for public certificate of the metadata (adobecq.xml) file.  That is, upload the file demoprivatekey.pem from the demo download package.

Private

2.  Update Authentication Handler with logout url and synchronize attribute.

Logout

Verification

1.  Log in to AEM at http://<port>:<port>/ using user.0, and then logout should redirect to IDP login page.  

2.  Mail property is synced.

Mail

Limitations   

User Must Exist in AEM
Users logging in via the handler must exist, or if missing must be created in, AEM (“Autocreate CRX Users” must be checked). This is because the Sling authentication framework, which the  SamlAuthenticationHandler is a part of, extracts user credentials from the SAMLResponse and logs into the JCR repository using those credentials.

Sitewide Anonymous Access with Optional Authentication
The authentication handler is built around protecting content from anonymous access via the Path configuration. If all pages on the AEM site need to be accessible anonymously, but authentication also needs tobe an option, the Path configuration value can be set to a non-existent path. This will enable SAML authentication but also allow anonymous access to all pages on the site. If this strategy is used, make sure that the SAMLReponse POSTs to the correct saml_login path (see next item).


The Path configuration and saml_login
The IdP’s SAMLResponse must be posted to the page ‘saml_login’. However, the ‘saml_login’ page must be within the path that the authentication handler protects (i.e. the Path configuration). For instance, if the Path configuration is ‘/‘ the IdP can post to http://localhost:4502/saml_login. If the Path is ‘/content/geometrixx’ the IdP can post to http://localhost:4502/content/geometrixx/saml_login or http://localhost:4502/content/geometrixx/does-not-exist/saml_login but http://localhost:4502/content/saml_login will not work.


IdP Initiated Login and RelayState
In SP1, ensuring a user returns to the page they were on before logging in is done with the saml_request_path cookie and not the typical RelayState parameter found with most SSO implementations. Therefore, though IdP initiated authentication will finish successfully, the end user will not get sent to the page specified by RelayState. Consequently, if a custom login link is implemented on an AEM page (SP initiated login), make sure to set the saml_request_path cookie before sending the browser to the IdP.


No Resource Found Error

This most likely results from the logged-in user not having the appropriate permissions to view the page. To resolve this issue, make sure the SSO user is being given Read permissions to folders such as /content. This accomplished by configuring the authentication handler to add SSO users to a user group that has all necessary permissions set.

Download

IdP’s signing credentials, encryption credentials, configuration files, metadata used in this demo script can be downloaded from here.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy