SAML 2.0 Authentication Handler
- Topics:
- Administering
CREATED FOR:
- Admin
AEM ships with a SAML authentication handler. This handler provides support for the SAML 2.0 Authentication Request Protocol (Web-SSO profile) using the HTTP POST
binding.
It supports:
- signing and encryption of messages
- automatic creation of users
- synching groups to existing ones in AEM
- Service Provider and Identity Provider initiated authentication
This handler stores the encrypted SAML response message in the user-node ( usernode/samlResponse
) to facilitate communication with a third-party Service Provider.
Configuring The SAML 2.0 Authentication Handler
The Web console provides access to the SAML 2.0 Authentication Handler configuration called Adobe Granite SAML 2.0 Authentication Handler. The following properties can be set.
- The Identity Provider POST URL.
- The Service Provider Entity ID.
Path Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled.
Service Ranking OSGi Framework Service Ranking value to indicate the order in which to call this service. This is an integer value where higher values designate higher precedence.
IDP Certificate Alias The alias of the IdP’s certificate in the global truststore. If this property is empty the authentication handler is disabled. See the “Add the IdP Certificate to the AEM TrustStore” chapter below on how to set it up.
Identity Provider URL URL of the IDP where the SAML Authentication Request should be sent to. If this property is empty the authentication handler is disabled.
Service Provider Entity ID ID which uniquely identifies this service provider with the identity provider. If this property is empty the authentication handler is disabled.
Default Redirect The default location to redirect to after successful authentication.
request-path
cookie is not set. If you request any page below the configured path without a valid login-token, the requested path is stored in a cookieand the browser will be redirected to this location again after successful authentication.
User-ID Attribute The name of the attribute containing the user ID used to authenticate and create the user in the CRX repository.
saml:Subject
node of the SAML assertion but from this saml:Attribute
.Use Encryption Whether or not this authentication handler expects encrypted SAML assertions.
Autocreate CRX Users Whether or not to automatically create non-existing users in the repository after successful authentication.
Add to Groups Whether or not a user should be automatically added to CRX groups after successful authentication.
Group Membership The name of the saml:Attribute containing a list of CRX groups this user should be added to.
Add the IdP Certificate to the AEM TrustStore
SAML assertions are signed and may optionally be encrypted. In order for this to work you have to provide at least the public certificate of the IdP in the repository. In order to do this you need to:
-
Go to http:/serveraddress:serverport/libs/granite/security/content/truststore.html
-
Press the Create TrustStore link
-
Enter the password for the TrustStore and press Save.
-
Click on Manage TrustStore.
-
Upload the IdP certificate.
-
Take note of the certificate Alias. The alias is admin#1436172864930 in the example below.
Add the Service Provider key and certificate chain to the AEM keystore
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store
- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Edit the
authentication-service
user. - Create a KeyStore by clicking Create KeyStore under Account Settings.
-
Upload the Private key file by clicking Select Private Key File. The key meeds to be in PKCS#8 format with DER encoding.
-
Upload the certificate file by clicking Select Certificate Chain Files.
-
Assign an Alias, as shown below:
Configure a Logger for SAML
You can set up a Logger in order to debug any issues that might arise from misconfiguring SAML. You can do this by:
-
Going to the Web Console, at http://localhost:4502/system/console/configMgr
-
Search for and click on the entry called Apache Sling Logging Logger Configuration
-
Create a logger with the following configuration:
- Log Level: Debug
- Log File: logs/saml.log
- Logger: com.adobe.granite.auth.saml
Experience Manager
- Administering User Guide overview
- Sites Features
- Website Administration
- Reusing Content: Multi Site Manager and Live Copy
- Live Copy Overview Console
- Configuring Live Copy Synchronization
- Creating and Synchronizing Live Copies
- MSM Rollout Conflicts
- MSM Best Practices
- Translating Content for Multilingual Sites
- Managing Translation Projects
- Identifying Content to Translate
- Preparing Content for Translation
- Creating a Language Root Using the Classic UI
- Connecting to Microsoft Translator
- Configuring the Translation Integration Framework
- Language Copy Wizard
- Translation Enhancements
- Translation Best Practices
- Configurations and the Configuration Browser
- AEM FAQs
- Operations
- Dashboards
- Operations Dashboard
- Backup and Restore
- Data Store Garbage Collection
- Monitoring Server Resources Using the JMX Console
- Working with Logs
- Configure the Rich Text Editor
- Configure the Video component
- The Bulk Editor
- Configuring Email Notification
- Configuring RTE for Producing Accessible Sites
- The Link Checker
- Troubleshooting AEM
- Audit Log Maintenance in AEM 6
- Editor
- Managing Access to Workflows
- Using cURL with AEM
- Configuring Undo for Page Editing
- Proxy Server Tool (proxy.jar)
- Configuring for AEM Apps
- Administering Workflows
- Configuring Search Forms
- Tools Consoles
- Reporting
- Administering Workflow Instances
- Configuring Layout Container and Layout Mode
- Enabling Access to Classic UI
- Starting Workflows
- Configure the Rich Text Editor plug-ins
- Admin Consoles
- Security
- User Administration and Security
- User, Group and Access Rights Administration
- Security Checklist
- OWASP Top 10
- Running AEM in Production Ready Mode
- Identity Management
- Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Creating a Closed User Group
- Mitigating serialization issues in AEM
- User Synchronization
- Encapsulated Token Support
- Single Sign On
- How to Audit User Management Operations in AEM
- SSL By Default
- SAML 2.0 Authentication Handler
- Closed User Groups in AEM
- Granite Operations - User and Group Administration
- Enabling CRXDE Lite in AEM
- Configuring LDAP with AEM 6
- Configure the Admin Password on Installation
- Service Users in AEM
- Encryption Support for Configuration Properties
- Handling GDPR Requests for the AEM Foundation
- Content Disposition Filter
- Personalization
- eCommerce
- Integration
- Integrating with Third-Party Services
- Integrating with Salesforce
- Integrating with Adobe Target
- Integrating with Adobe Analytics
- Connecting to Adobe Analytics and Creating Frameworks
- Configuring Link Tracking for Adobe Analytics
- Mapping Component Data with Adobe Analytics Properties
- Configuring Video Tracking for Adobe Analytics
- HTTP2 Delivery of Content FAQ
- Troubleshooting your Adobe Campaign Integration
- SharePoint Connector Licenses, Copyright Notices, and Disclaimers
- SharePoint Connector
- DHTML Viewer End-of-Life FAQs
- Integrating with Adobe Campaign Classic
- Related Community Articles
- Integrating with Adobe Campaign Standard
- Flash Viewers End-of-Life Notice
- Integrating with Adobe Creative Cloud
- Integrating with Adobe Dynamic Tag Management
- Opting Into Adobe Analytics and Adobe Target
- AEM Portals and Portlets
- Integrating with Dynamic Media Classic
- Troubleshooting Integration Issues
- Integrating with BrightEdge Content Optimizer
- Best Practices for Email Templates
- Catalog Producer
- Integrating with Silverpop Engage
- Integrating with Adobe Campaign
- Integrating with ExactTarget
- Analytics with External Providers
- Integrating with the Adobe Marketing Cloud
- Manually Configuring the Integration with Adobe Target
- Prerequisites for Integrating with Adobe Target
- Adobe Classifications
- Solutions Integration
- Target Integration with Experience Fragments
- Best Practices
- Content Management