Configuring SSO
To configure SSO for a AEM instance, you configure the SSO Authentication Handler:
-
When working with AEM, there are several methods of managing the configuration settings for such services; see Configuring OSGi for more details and the recommended practices.
For example, for NTLM set:
-
Path: as required; for example,
/
-
Header Names:
LOGON_USER
-
ID Format:
^<DOMAIN>\\(.+)$
Where
<*DOMAIN*>
is replaced by the name of your own domain.
For CoSign:
- Path: as required; for example,
/
- Header Names: remote_user
- ID Format: AsIs
For SiteMinder:
- Path: as required; for example,
/
- Header Names: SM_USER
- ID Format: AsIs
-
-
Confirm that Single Sign On is working as required; including authorization.
disp_iis.ini
- IIS
disp_iis.ini
set:(see installing the Dispatcher with the Microsoft® Internet Information Server for full details)
servervariables=1
(forwards IIS server variables as request headers to the remote instance)replaceauthorization=1
(replaces any header named “Authorization” other than “Basic” with its “Basic” equivalent)
-
disable Anonymous access
-
enable Integrated Windows authentication
You can see which authentication handler is being applied to any section of the content tree by using the Authenticator option of the Felix Console; for example:
http://localhost:4502/system/console/slingauth
The handler that best matches the path is queried first. For example, if you configure handler-A for the path /
and handler-B for the path /content
, then a request to /content/mypage.html
will query handler-B first.