Single Sign On
- Topics:
- Configuring
CREATED FOR:
- Developer
Single Sign On (SSO) allows a user to access multiple systems after providing authentication credentials (such as a user name and password) once. A separate system (known as the trusted authenticator) performs the authentication and provides Experience Manager with the user credentials. Experience Manager checks and enforces the access permissions for the user (i.e. determines which resources the user is allowed to access).
The SSO Authentication Handler service ( com.adobe.granite.auth.sso.impl.SsoAuthenticationHandler
) processes the authentication results that the trusted authenticator provides. The SSO Authentication Handler searches for a ssid (SSO Identifier) as the value of a special attribute in the following locations in this order:
- Request Headers
- Cookies
- Request Parameters
When a value is found, the search is finished and this value is used.
Configure the following two services to recognize the name of the attribute that stores the ssid:
- The login module.
- The SSO Authentication service.
You must specify the same attribute name for both services. The attribute is included in the SimpleCredentials
that is provided to Repository.login
. The value of the attribute is irrelevant and ignored, the mere presence of it is important and verified.
Configuring SSO
To configure SSO for a AEM instance, you need to configure the SSO Authentication Handler:
-
When working with AEM there are several methods of managing the configuration settings for such services; see Configuring OSGi for more details and the recommended practices.
For example, for NTLM set:
-
Path: as required; for example,
/
-
Header Names:
LOGON_USER
-
ID Format:
^<DOMAIN>\\(.+)$
Where
<*DOMAIN*>
is replaced by your own domain name.
For CoSign:
- Path: as required; for example,
/
- Header Names: remote_user
- ID Format: AsIs
For SiteMinder:
- Path: as required; for example,
/
- Header Names: SM_USER
- ID Format: AsIs
-
-
Confirm that Single Sign On is working as required; including authorization.
disp_iis.ini
- IIS
disp_iis.ini
set:(see installing the Dispatcher with the Microsoft Internet Information Server for full details)
servervariables=1
(forwards IIS server variables as request headers to the remote instance)replaceauthorization=1
(replaces any header named “Authorization” other than “Basic” with its “Basic” equivalent)
-
disable Anonymous access
-
enable Integrated Windows authentification
You can see which authentication handler is being applied to any section of the content tree by using the Authenticator option of the Felix Console; for example:
http://localhost:4502/system/console/slingauth
The handler that best matches the path is queried first. For example, if you configure handler-A for the path /
and handler-B for the path /content
, then a request to /content/mypage.html
will query handler-B first.
Example
For a cookie request (using the URL http://localhost:4502/libs/wcm/content/siteadmin.html
):
GET /libs/cq/core/content/welcome.html HTTP/1.1
Host: localhost:4502
Cookie: TestCookie=admin
Using the following configuration:
-
Path:
/
-
Header Names:
TestHeader
-
Cookie Names:
TestCookie
-
Parameter Names:
TestParameter
-
ID Format:
AsIs
The response would be:
HTTP/1.1 200 OK
Connection: Keep-Alive
Server: Day-Servlet-Engine/4.1.24
Content-Type: text/html;charset=utf-8
Date: Thu, 23 Aug 2012 09:58:39 GMT
Transfer-Encoding: chunked
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "https://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Welcome to Adobe® CQ5</title>
....
This also works if you request:http://localhost:4502/libs/cq/core/content/welcome.html?TestParameter=admin
Or you can use the following curl command to send the TestHeader
header to admin:
curl -D - -H "TestHeader: admin" http://localhost:4502/libs/cq/core/content/welcome.html
Removing AEM Sign Out Links
When using SSO, sign in and sign out are handled externally, so that AEMs own sign-out links are no longer applicable and should be removed.
The sign out link on the welcome screen can be removed using the following steps.
-
Overlay
/libs/cq/core/components/welcome/welcome.jsp
to/apps/cq/core/components/welcome/welcome.jsp
-
remove the following part from the jsp.
<a href="#" onclick="signout('<%= request.getContextPath() %>');" class="signout"><%= i18n.get("sign out", "welcome screen") %>
To remove the sign out link that is available in the user’s personal menu in the top-right corner, follow these steps:
-
Overlay
/libs/cq/ui/widgets/source/widgets/UserInfo.js
to/apps/cq/ui/widgets/source/widgets/UserInfo.js
-
Remove the following part from the file:
menu.addMenuItem({ "text":CQ.I18n.getMessage("Sign out"), "cls": "cq-userinfo-logout", "handler": this.logout }); menu.addSeparator();
Experience Manager
- Deploying User Guide
- Introduction to the AEM Platform
- Deploying AEM
- Deploying and Maintaining
- Recommended Deployments
- Application Server Install
- Custom Standalone Install
- Command Line Start and Stop
- Configuring node stores and data stores in AEM 6
- Revision Cleanup
- How to Run AEM with TarMK Cold Standby
- RDBMS Support in AEM 6.4
- Oak Queries and Indexing
- Indexing via the Oak-run Jar
- Oak-run.jar Indexing Use Cases
- Troubleshooting Oak Indexes
- Opting Into Aggregated Usage Statistics Collection
- Troubleshooting
- Configuring AEM
- Basic Configuration Concepts
- Logging
- Configuring OSGi
- OSGi Configuration Settings
- Run Modes
- Web Console
- Replication
- Replicating Using Mutual SSL
- Troubleshooting Replication
- Expiration of Static Objects
- Version Purging
- Monitoring and Maintaining Your AEM instance
- Offloading Jobs
- Single Sign On
- Resource Mapping
- Enabling HTTP Over SSL
- Consistency and Traversal Checks
- Performance Guidelines
- Performance Optimization
- Assets Performance Guide
- Configuration How-To Articles
- Removing the Geometrixx Sites
- Configuring Web Console
- Upgrading to AEM 6.4
- Upgrading to AEM 6.4
- Planning Your Upgrade
- Assessing the Upgrade Complexity with the Pattern Detector
- Backward Compatibility in AEM 6.4
- Upgrade Procedure
- Using Offline Reindexing To Reduce Downtime During an Upgrade
- Performing an In-Place Upgrade
- Lazy Content Migration
- Using the CRX2Oak Migration Tool
- Pre-Upgrade Maintenance Tasks
- Post Upgrade Checks and Troubleshooting
- Upgrading Custom Search Forms
- Sustainable Upgrades
- Upgrading Code and Customizations
- Upgrade Steps for Application Server Installations
- List of Obsolete Bundles Uninstalled After the Upgrade
- Repository Restructuring
- Repository Restructuring in AEM 6.4
- Common Repository Restructuring in AEM 6.4
- Sites Repository Restructuring in AEM 6.4
- Assets Repository Restructuring in AEM 6.4
- Dynamic Media Repository Restructuring in AEM 6.4
- Forms Repository Restructuring in AEM 6.4
- E-Commerce Repository Restructuring in AEM 6.4
- Repository Restructuring for AEM Communities in 6.4
- eCommerce
- Best Practices