The first step is to configure your app on OKTA portal. Once your app is approved by your OKTA administrator you will have access to IdP certificate and single sign on URL. The following are the settings typically used in registering new application.
Since SAML assertions are encrypted, we need to add the IdP (OKTA) certificate to the AEM trust store, to allow secure communication between OKTA and AEM.
Initialize trust store, if not initialized already.
Remember the trust store password. We will need to use this password later in this process.
Navigate to Global Trust Store.
Click on “Add Certificate from CER file”. Add the IdP certificate provided by OKTA and click submit.
Please do not map the certificate to any user
On adding the certificate to trust store you should get certificate alias as shown in the screen shot below. The alias name could be different in your case.
Make a note of the certificate alias. You need this in the later steps.
Navigate to configMgr.
Search and open “Adobe Granite SAML 2.0 Authentication Handler”.
Provide the following properties as specified below
The following are the key properties that need to be specified:
Navigate to configMgr.
Search and open “Apache Sling Referrer Filter”.Set the following properties as specified below:
When setting up the OKTA integration on AEM, it can be helpful to review the DEBUG logs for AEM’s SAML Authentication handler. To set the log level to DEBUG, create a new Sling Logger configuration via the AEM OSGi Web Console.
Remember to remove or disable this logger on Stage and Production to reduce log-noise.
When setting up the OKTA integration on AEM, it can be helpful to review DEBUG logs for AEM’s SAML Authentication handler. To set the log level to DEBUG, create a new Sling Logger configuration via the AEM OSGi Web Console.
Remember to remove or disable this logger on Stage and Production to reduce log-noise.
Navigate to configMgr
Search and open “Apache Sling Logging Logger Configuration”
Create a logger with the following configuration:
Click on save to save your settings
Logout of your AEM instance. Try accessing the link. You should see OKTA SSO in action.