Simple version of aem saml demo available at http://helpx.adobe.com/experience-manager/kb/simple-saml-demo.html
Goal
AEM provides support for the SAML 2.0 Authentication Request and acts as a SAML service provider. This article provides a sample for installing and setting up your local testing to achieve web Single Sign-on across or within organizational boundaries.
See also the online product documentation for the SAML Authentication Handler.
Software used for the setup
The binaries used are mentioned below. You can use the same or an equivalent.
Software | Version | Downloaded from |
Shibboleth IDP | 2.4.0 | http://shibboleth.net/downloads/identity-provider/latest/ |
Tomcat (App server for IDP) | apache-tomcat-6.0.37 | http://tomcat.apache.org/download-60.cgi |
OpenDS (LDAP Server) | OpenDS-2.2.1 | https://opends.java.net/public/downloads_index.html |
JDK 1.6.0_26 | ||
AEM 5.6 |
Installation and configuration
Install and configure OpenDS LDAP
Follow the installation instructions from OpenDS. During installation, choose to load test data to avoid user creation. Do not forget the admin password provide during the installation. The screenshot below shows the option selected during installation.
During integration with AEM, I used the business category property of LDAP to identify the group that the user belongs to.
Install Shibboleth IDP
Unzip the downloaded (shibboleth-identityprovider-2.4.0-bin.zip) binary and run the install.bat file. The installation creates the IdP's entity ID, initial metadata, a basic set of IdP configuration files and a key pair of self-signed certificate used for signing/encryption.
Install and configure Tomcat
1. Unzip apache-tomcat-6.0.37-windows-x64.zip into any directory (for example, C:\demo\appserver\apache-tomcat-6.0.37-windows-x64).
2. Create an SSL self-signed certificate.
3. Apply the certificate to tomcat <TOMCAT_HOME>/conf/server.xml.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEngine="on" SSLCertificateFile="C:/demo/appserver/apache-tomcat-6.0.37-windows-x64/apache-tomcat-6.0.37/cert/tomcatcert.pem" SSLCertificateKeyFile="C:/demo/appserver/apache-tomcat-6.0.37-windows-x64/apache-tomcat-6.0.37/cert/tomcatkey.pem" SSLPassword="password" />
4. Copy "idp.war" from <SAML_IDP_HOME>/war/idp.war to <TOMCAT_HOME>/webapps
5. Create the directory <TOMCAT_HOME>/endorsed and copy the .jar files included in the IdP source endorsed directory into the newly created directory.
6. Quick test: Accessing https://localhost:8443/idp/profile/Status returns OK.
Configure Shibboleth IDP
1. Modify <SAML_IDP_HOME>/conf/idp-metadata.xml to make sure all the location attribute points to idp app on tomcat 8443
2. Modify <SAML_IDP_HOME>/conf/attribute-resolver.xml to add definition of attribute and LDAP connect string
3. Modify <SAML_IDP_HOME>/conf/handler.xml to remove all the entries for authentication except "UsernamePassword" and "PreviousSession."
4. Modify <SAML_IDP_HOME>/conf/logging.xml for detail debug trace.
5. Modify <SAML_IDP_HOME>/conf/login.config.
6. Modify <SAML_IDP_HOME>/conf/relying-party.xml
7. Modify /conf/attribute-filter.xml to release the attribute UID and group.
8. Add the following metadata file at <SAML_IDP_HOME>/metadata/adobecq.xml.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.blogsaml.com"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SPInfo"> <ds:X509Data> <ds:X509Certificate> MIIEdzCCA1+gAwIBAgIJAPswGGW+b631MA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTUExDjAMBgNVBAcTBUFjdG9uMQ4wDAYDVQQKEwVB ZG9iZTESMBAGA1UECxMJTWFya2V0aW5nMQ8wDQYDVQQDEwZIYXNzYW4xIjAgBgkq hkiG9w0BCQEWE3NhbXBsZUBibG9nc2FtbC5jb20wHhcNMTQwNTIzMTkzODI1WhcN MTcwNTIyMTkzODI1WjCBgzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYD VQQHEwVBY3RvbjEOMAwGA1UEChMFQWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEP MA0GA1UEAxMGSGFzc2FuMSIwIAYJKoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsW8NAHsIvl4EdEu0 0eZHuSYOAFLDZa0EQzf5+QDE179uHkqFIYpgdSJO3qj3HNKqlU/vnZNhQBJ2tRrc BjI7pWQO/G9f+7pQKke9QVU88IDnmmGknlCTiaKLv4p68XHR4AeTI2tfulYpURa+ V5onIxXoyXqubrSxTb0zWVZy9iZmpPA2gCkH3Yzi/TM+yxz5A7q/Vh4pYm3+xqQS gb1h5CFpA3YWlfSw2ONvNKlx9vJjfC+UCFxzNzbEF7f5u/c2zdKs72b70W8CnwTg ny+C0qEDLKNYStVag8AUau9SmyXoKSShvHfZOGNW0ad1n44dD9TLCTKTpG1DloWI yugtzwIDAQABo4HrMIHoMB0GA1UdDgQWBBT6Ve57XbEy+G+EzQTE+o8rzEiimzCB uAYDVR0jBIGwMIGtgBT6Ve57XbEy+G+EzQTE+o8rzEiim6GBiaSBhjCBgzELMAkG A1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYDVQQHEwVBY3RvbjEOMAwGA1UEChMF QWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEPMA0GA1UEAxMGSGFzc2FuMSIwIAYJ KoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwuY29tggkA+zAYZb5vrfUwDAYDVR0T BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATJi8KCGnNM6lVX8x+GBhm3q0VdF+ VIAvYXJ4TqP3DGSUFr2ETt187cQ3ZtJsU+U5mQ8NX6DRJ7QVZjKPe/6vRltVlsvR z+b8vjXlWVWo6Zjcd96MQibESEutzLlwfQBq3A3azzqUmtEpA2woXzhV5XXvAsqt HsPYgcM9mZNO+FS3pDkOEdfyQuG4nUa0s2jx/gIYtqcMJqTK5d3c1nAaUhLEVuYr Upm6t+eL0/Yw4hrTjP3kEQO6g5ABsv9ew7iPs7G1RMm5BJErHyAHvgAeP/NZD/H6 C4fnnHXKhR7wbpxu9VipDIXQBmblPSvWGak+KhsPiQucvOvf2ksVtxoyLQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:6502/saml_login" index="1"/> </md:SPSSODescriptor> </md:EntityDescriptor>
Configure AEM
1. Install AEM following http://dev.day.com/docs/en/cq/current/deploying/installing_cq.html.
2. Under /etc/key in the repository, create a node called "saml". Inside this node, add a new binary property called "idp_cert" for the public certificate of the IdP. That is, upload the file from <SAML_IDP_HOME>/credentials/idp.crt.
3. Configure Authentication Handler.
4. Configure ReferrerFilter.
Verification
1. Making a request to AEM at http://<host>:<port>/ redirects to IDP login page.
2. Login as user.2 with password as "password" takes you to the AEM home page. See the snapshot of saml tracker response & crx automatic user creation below:
Enhancement with AEM6+
With AEM6 Sp1 onward, added support for
- Single sign-off flow capability (Logout)
- Synchronize Attributes
- Configurable default group
Below section provides update required in above configuration demo for local testing of logout and synchronize of mail attribute.
Configuration updates in Shibboleth IDP
1. Modify <SAML_IDP_HOME>/conf/attribute-filter.xml & <SAML_IDP_HOME>/conf/attribute-resolver.xml to release the attribute mail
2. Modify metadata file at <SAML_IDP_HOME>/metadata/adobecq.xml to include SingleSignoutService
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.blogsaml.com"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SPInfo"> <ds:X509Data> <ds:X509Certificate> MIIEdzCCA1+gAwIBAgIJAPswGGW+b631MA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTUExDjAMBgNVBAcTBUFjdG9uMQ4wDAYDVQQKEwVB ZG9iZTESMBAGA1UECxMJTWFya2V0aW5nMQ8wDQYDVQQDEwZIYXNzYW4xIjAgBgkq hkiG9w0BCQEWE3NhbXBsZUBibG9nc2FtbC5jb20wHhcNMTQwNTIzMTkzODI1WhcN MTcwNTIyMTkzODI1WjCBgzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYD VQQHEwVBY3RvbjEOMAwGA1UEChMFQWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEP MA0GA1UEAxMGSGFzc2FuMSIwIAYJKoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsW8NAHsIvl4EdEu0 0eZHuSYOAFLDZa0EQzf5+QDE179uHkqFIYpgdSJO3qj3HNKqlU/vnZNhQBJ2tRrc BjI7pWQO/G9f+7pQKke9QVU88IDnmmGknlCTiaKLv4p68XHR4AeTI2tfulYpURa+ V5onIxXoyXqubrSxTb0zWVZy9iZmpPA2gCkH3Yzi/TM+yxz5A7q/Vh4pYm3+xqQS gb1h5CFpA3YWlfSw2ONvNKlx9vJjfC+UCFxzNzbEF7f5u/c2zdKs72b70W8CnwTg ny+C0qEDLKNYStVag8AUau9SmyXoKSShvHfZOGNW0ad1n44dD9TLCTKTpG1DloWI yugtzwIDAQABo4HrMIHoMB0GA1UdDgQWBBT6Ve57XbEy+G+EzQTE+o8rzEiimzCB uAYDVR0jBIGwMIGtgBT6Ve57XbEy+G+EzQTE+o8rzEiim6GBiaSBhjCBgzELMAkG A1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ4wDAYDVQQHEwVBY3RvbjEOMAwGA1UEChMF QWRvYmUxEjAQBgNVBAsTCU1hcmtldGluZzEPMA0GA1UEAxMGSGFzc2FuMSIwIAYJ KoZIhvcNAQkBFhNzYW1wbGVAYmxvZ3NhbWwuY29tggkA+zAYZb5vrfUwDAYDVR0T BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATJi8KCGnNM6lVX8x+GBhm3q0VdF+ VIAvYXJ4TqP3DGSUFr2ETt187cQ3ZtJsU+U5mQ8NX6DRJ7QVZjKPe/6vRltVlsvR z+b8vjXlWVWo6Zjcd96MQibESEutzLlwfQBq3A3azzqUmtEpA2woXzhV5XXvAsqt HsPYgcM9mZNO+FS3pDkOEdfyQuG4nUa0s2jx/gIYtqcMJqTK5d3c1nAaUhLEVuYr Upm6t+eL0/Yw4hrTjP3kEQO6g5ABsv9ew7iPs7G1RMm5BJErHyAHvgAeP/NZD/H6 C4fnnHXKhR7wbpxu9VipDIXQBmblPSvWGak+KhsPiQucvOvf2ksVtxoyLQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:6502/saml_login" index="1"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.blogsaml.com:8443/idp/Authn/UserPassword"/> </md:SPSSODescriptor> </md:EntityDescriptor>
Configuration updates in AEM
1. Under /etc/key/saml in the repository add a new binary property called "private" containing key for public certificate of the metadata (adobecq.xml) file. That is, upload the file demoprivatekey.pem from the demo download package.
2. Update Authentication Handler with logout url and synchronize attribute.
Verification
1. Log in to AEM at http://<port>:<port>/ using user.0, and then logout should redirect to IDP login page.
2. Mail property is synced.
Limitations
User Must Exist in AEM
Users logging in via the handler must exist, or if missing must be created in, AEM (“Autocreate CRX Users” must be checked). This is because the Sling authentication framework, which the SamlAuthenticationHandler is a part of, extracts user credentials from the SAMLResponse and logs into the JCR repository using those credentials.
Sitewide Anonymous Access with Optional Authentication
The authentication handler is built around protecting content from anonymous access via the Path configuration. If all pages on the AEM site need to be accessible anonymously, but authentication also needs tobe an option, the Path configuration value can be set to a non-existent path. This will enable SAML authentication but also allow anonymous access to all pages on the site. If this strategy is used, make sure that the SAMLReponse POSTs to the correct saml_login path (see next item).
The Path configuration and saml_login
The IdP’s SAMLResponse must be posted to the page ‘saml_login’. However, the ‘saml_login’ page must be within the path that the authentication handler protects (i.e. the Path configuration). For instance, if the Path configuration is ‘/‘ the IdP can post to http://localhost:4502/saml_login. If the Path is ‘/content/geometrixx’ the IdP can post to http://localhost:4502/content/geometrixx/saml_login or http://localhost:4502/content/geometrixx/does-not-exist/saml_login but http://localhost:4502/content/saml_login will not work.
IdP Initiated Login and RelayState
In SP1, ensuring a user returns to the page they were on before logging in is done with the saml_request_path cookie and not the typical RelayState parameter found with most SSO implementations. Therefore, though IdP initiated authentication will finish successfully, the end user will not get sent to the page specified by RelayState. Consequently, if a custom login link is implemented on an AEM page (SP initiated login), make sure to set the saml_request_path cookie before sending the browser to the IdP.
No Resource Found Error
This most likely results from the logged-in user not having the appropriate permissions to view the page. To resolve this issue, make sure the SSO user is being given Read permissions to folders such as /content. This accomplished by configuring the authentication handler to add SSO users to a user group that has all necessary permissions set.
Download
IdP’s signing credentials, encryption credentials, configuration files, metadata used in this demo script can be downloaded from here.