SAML 2.0 Authentication Handler
AEM ships with a SAML authentication handler. This handler supports the SAML 2.0 Authentication Request Protocol (Web-SSO profile) using the HTTP POST binding.
It supports:
- signing and encryption of messages
- automatic creation of users
- synching groups to existing ones in AEM
- Service Provider and Identity Provider initiated authentication
This handler stores the encrypted SAML response message in the user-node ( usernode/samlResponse) to facilitate communication with a third-party Service Provider.
Configuring The SAML 2.0 Authentication Handler
The Web console provides access to the SAML 2.0 Authentication Handler configuration called Adobe Granite SAML 2.0 Authentication Handler. The following properties can be set.
NOTE- The Identity Provider POST URL, or IDP URL.
- The Service Provider Entity ID.
NOTEPath Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled.
Service Ranking OSGi Framework Service Ranking value to indicate the order in which to call this service. This is an integer value where higher values designate higher precedence.
IDP Certificate Alias The alias of the IdP’s certificate in the global truststore. If this property is empty the authentication handler is disabled. See the “Add the IdP Certificate to the AEM TrustStore” chapter below on how to set it up.
IDP URL URL of the IDP where the SAML Authentication Request should be sent to. If this property is empty the authentication handler is disabled.
CAUTIONService Provider Entity ID ID which uniquely identifies this service provider with the identity provider. If this property is empty the authentication handler is disabled.
Default Redirect The default location to redirect to after successful authentication.
NOTErequest-path cookie is not set. If you request any page below the configured path without a valid login-token, the requested path is stored in a cookieand the browser will be redirected to this location again after successful authentication.
User-ID Attribute The name of the attribute containing the user ID used to authenticate and create the user in the CRX repository.
NOTEsaml:Subject node of the SAML assertion but from this saml:Attribute.Use Encryption Whether or not this authentication handler expects encrypted SAML assertions.
Autocreate CRX Users Whether or not to automatically create non-existing users in the repository after successful authentication.
CAUTIONAdd to Groups Whether or not a user should be automatically added to CRX groups after successful authentication.
Group Membership The name of the saml:Attribute containing a list of CRX groups this user should be added to.
Add the IdP Certificate to the AEM TrustStore
SAML assertions are signed and may optionally be encrypted. In order for this to work you have to provide at least the public certificate of the IdP in the repository. To do this you need to:
-
Go to http:/serveraddress:serverport/libs/granite/security/content/truststore.html
-
Press the Create TrustStore link
-
Enter the password for the TrustStore and press Save.
-
Click on Manage TrustStore.
-
Upload the IdP certificate.
-
Take note of the certificate Alias. The alias is admin#1436172864930 in the example below.
Add the Service Provider key and certificate chain to the AEM keystore
NOTEcom.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Edit the
authentication-serviceuser. - Create a KeyStore by clicking Create KeyStore under Account Settings.
NOTE-
Create the certificate/keypair for AEM. The command to generate it via openssl should resemble the example below:
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out certificate.crt -keyout key.pem -
Convert the key to PKCS#8 format with DER encoding. This is the format required by the AEM keystore.
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocrypt -
Upload the Private key file by clicking Select Private Key File.
-
Upload the certificate file by clicking Select Certificate Chain Files.
-
Assign an Alias, as shown below:
Configure a Logger for SAML
You can set up a Logger to debug any issues that might arise from misconfiguring SAML. You can do this by:
-
Going to the Web Console, at http://localhost:4502/system/console/configMgr
-
Search for and click the entry called Apache Sling Logging Logger Configuration
-
Create a logger with the following configuration:
- Log Level: Debug
- Log File: logs/saml.log
- Logger: com.adobe.granite.auth.saml
Experience Manager
The Perfect Blend: A New Era of Collaboration with AEM and Workfront
Adobe Customer Success Webinars
Wednesday, Apr 2, 5:00 PM UTC
Explore how Adobe Experience Manager and Workfront integrate to help teams move from ideation to delivery without the usual bottlenecks, ensuring content is organized, on-brand, and ready to go live faster.
Register
Elevate and Empower Teams with Agentic AI for Exceptional Experiences
Elevate and empower your CX teams with AI that transforms creativity, personalization, and productivity. Discover how Adobe is...
Tue, Mar 18, 1:00 PM PDT (8:00 PM UTC)
3 Pillars of Purpose-driven Experiences: Trust, Data, and GenAI
Learn how leading B2B and B2C brands like AT&T and IBM are intersecting data, GenAI and trust to build “purpose-driven” experiences that...
Wed, Mar 19, 1:00 PM PDT (8:00 PM UTC)
Connect with Experience League at Summit!
Get front-row access to top sessions, hands-on activities, and networking—wherever you are!
Learn more