Configuring SSO

To configure SSO for a AEM instance, you configure the SSO Authentication Handler:

  1. When working with AEM, there are several methods of managing the configuration settings for such services; see Configuring OSGi for more details and the recommended practices.

    For example, for NTLM set:

    • Path: as required; for example, /

    • Header Names: LOGON_USER

    • ID Format: ^<DOMAIN>\\(.+)$

      Where <*DOMAIN*> is replaced by the name of your own domain.

    For CoSign:

    • Path: as required; for example, /
    • Header Names: remote_user
    • ID Format: AsIs

    For SiteMinder:

    • Path: as required; for example, /
    • Header Names: SM_USER
    • ID Format: AsIs
  2. Confirm that Single Sign On is working as required; including authorization.

CAUTION
Make sure that users cannot access AEM directly if SSO is configured.
By requiring users to go through a web server that runs your SSO system’s agent, it is ensured that no user can directly send a header, cookie, or parameter that will lead the user to be trusted by AEM, as the agent will filter such information if sent from the outside.
Any user who can directly access your AEM instance without going through the web server will be able to act as any user by sending the header, cookie, or parameter if the names are known.
Also make sure that of headers, cookies, and request parameter names, you only configure the one that is required for your SSO setup.
NOTE
Single Sign On is often used with LDAP.
NOTE
If you are also using the Dispatcher with the Microsoft® Internet Information Server (IIS), then additional configuration is required in:
  • disp_iis.ini
  • IIS
  • servervariables=1 (forwards IIS server variables as request headers to the remote instance)
  • replaceauthorization=1 (replaces any header named “Authorization” other than “Basic” with its “Basic” equivalent)
In IIS:
  • disable Anonymous access

  • enable Integrated Windows authentication

You can see which authentication handler is being applied to any section of the content tree by using the Authenticator option of the Felix Console; for example:

http://localhost:4502/system/console/slingauth

The handler that best matches the path is queried first. For example, if you configure handler-A for the path / and handler-B for the path /content, then a request to /content/mypage.html will query handler-B first.

screen_shot_2012-02-15at21006pm