SAML 2.0 authentication saml-2-0-authentication
Learn how to set up and authenticate end-users (not AEM authors) to a SAML 2.0 compatible IDP of your choosing.
What SAML for AEM as a Cloud Service?
SAML 2.0 integration with AEM Publish (or Preview), allows end users of an AEM-based web experience to authenticate to a non-51黑料不打烊 IDP (Identity Provider), and access AEM as a named, authorized user.
The typical flow of an AEM Publish SAML integration is as follows:
-
User makes a request to AEM Publish the indicates authentication is required.
- User requests a CUGs/ACL protected resource.
- User requests a resource that is subject to an Authentication Requirement.
- User follows a link to AEM鈥檚 login endpoint (i.e.
/system/sling/login
) that explicitly requests the login action.
-
AEM makes an AuthnRequest to the IDP, requesting IDP to start authentication process.
-
User authenticates to IDP.
- User is prompted by the IDP for credentials.
- User is already authenticated with the IDP and does not have to provide further credentials.
-
IDP generates a SAML assertion containing the user鈥檚 data, and signs it using the IDP鈥檚 private certificate.
-
IDP sends the SAML assertion via HTTP POST, by way of the user鈥檚 web browser (RESPECTIVE_PROTECTED_PATH/saml_login), to AEM Publish.
-
AEM Publish receives the SAML assertion, and validates the SAML assertion鈥檚 integrity and authenticity using the IDP public certificate.
-
AEM Publish manages the AEM user record based on the SAML 2.0 OSGi configuration, and the contents of the SAML Assertion.
- Creates user
- Synchronizes user attributes
- Updates AEM user group membership
-
AEM Publish sets the AEM
login-token
cookie on the HTTP response, which is used to authenticate subsequent requests to AEM Publish. -
AEM Publish redirects user to URL on AEM Publish as specified by the
saml_request_path
cookie.
Configuration walk-through
So I want to quickly show you how to set up SAML authentication for AEM鈥檚 cloud service. And for this I鈥檒l be using a free Okta account as a IDP And my AEM as a cloud service, dev environment鈥檚 publish service will be the service provider or SP. First step here is to set up the IDP itself. And I鈥檓 going to just run through this quickly. I鈥檓 not going to spend too much time on the Okta side since all IDPs are a little bit different. But I hope this should give you a good sense of what you might have to do in your IDP. So I鈥檓 going to create a new integration app. I鈥檓 going to make sure to pick SAML 2.0, as that鈥檚 the version of SAML that AEM as a cloud service supports.
Go ahead and name my app.
And the first thing I鈥檒l need to do is provide a single sign in URL. And this is where the SAML assertion is posted back to in AEM. So the first piece of this will be the AEM Publish origin and I can find this in cloud manager, and go to my environment, get these details, and copy the Publish service link. And note that if you are doing this on production and have a custom domain, you would want to make sure that your custom domain that your users are accessing is here instead. The next piece that we鈥檒l go into further detail when we set up the SAML authentication AEM, is the path that we鈥檒l be posting to. So typically you鈥檒l want to post under the Sites path, whose authentication will be managed by the IDP. So in this case we鈥檒l be managing authentication for the WKND Site, which reside under 鈥/content_wknd.鈥 And then we鈥檒l want to make sure that we add a suffix of 鈥淪AML_login.鈥 And this is just a special path segment that tells the SAML authentication handler in AEM that it needs to be invoked. And we鈥檒l go into the details of this a little bit later on, as I mentioned before. Next up is the audience URI, or service provider entity ID. And this is just a unique ID that tells the IDP what service provider should be accessing this specific IDP application or configuration. Typically a single AEM as a cloud service environment is mapped to an IDP integration or application. So it鈥檚 often most clear to simply use the origin of the AEM Publish service. We can leave the relay state blank, the name ID format. I would like to change this as transient, simply because this is the default expected format in AEM and this removes the need for us to configure that later.
And lastly, we can map some user attributes from our IDP into the SAML assertion, which will allow us to synchronize those into AEM. So over here we can see we have a couple of values available to us from Okta. So let鈥檚 map the first name, and we can call this anything we want, but let鈥檚 just keep it simple. Call it 鈥渇irst name.鈥 and we鈥檒l do the same for 鈥渓ast name.鈥 And let鈥檚 throw one in named 鈥淯ID鈥 and map it to the email address in Okta. We鈥檒l skip the group attribute statements for now and we can finish up our configuration here. So hit 鈥楴ext.鈥 Since this is a free account I鈥檓 just going to click through this, and finish.
And the last thing I want to do, since this is a a brand new application in Okta is make sure that we assign users to it so we can actually log in using those users. So I鈥檒l just go up to assignments and just assign a few of the sample accounts that I have set up in Okta.
All right, we should be set now. Now let鈥檚 head over to AEM and continue the setup. Do note that we鈥檒l have to come back here to our IDP to collect some information and data that we鈥檒l use to configure the SAML authentication piece in AEM itself.
With the IDP configured, our first step is to configure AEM鈥檚 Global Trust Store to include the IDP鈥檚` public certificate. So for this, we鈥檒l head over to the AEM environments Author service. And note that we鈥檙e initially configuring this on the Author service, even though we will ultimately push this to AEM Publish as that is the service tier that will interact with the IDP. So we need to make sure we鈥檙e an AEM administrator, head over to 鈥楾ools鈥, 鈥楽ecurity鈥, and 鈥楾rust store.鈥 So you may already have an existing Global Trust store, if you do open it using its password. If not, we can create a new trust store, provide a password and make sure you record this in a safe place as this is going to be required to edit it in the future. So if you need to add or update a certificate you would need this password.
Once we鈥檙e here, under the 鈥楢dd Certificate From CER file鈥 section, we can upload the public certificate provided to us by our IDP. So for this, we need to go back to our IDP and download it.
So back in the IDP I can grab the certificate, download it to my local computer, head back to AEM, and upload the public certificate from the IDP.
We don鈥檛 have to map it to a user, so leave that blank, and hit 鈥楽ubmit.鈥 We can see that the certificate was successfully loaded, and we can see the certificate details up above. And what in them that we鈥檒l have to make note of is the certificate alias as we will need to reference this in our SAML configuration.
With the IDP as public certificate installed into AEM Authors Global Trust Store, we need to activate or replicate the Global Trust Store to AEM Publish. So there are a couple ways to do this, but I鈥檇 like to use the package approach. So let鈥檚 go ahead and do that. We head back to 鈥楾ools鈥, 鈥楧eployment鈥, 鈥楶ackages.鈥 I鈥檓 going to create a new package. I鈥檒l just call this 鈥淕lobal Trust Store,鈥 however you can name this anything you want. I鈥檒l give it a version.
I鈥檒l give it a group.
And create the empty package.
Now let鈥檚 add the Global Trust Store. So for this, we鈥檒l hit 'Edit, 鈥楩ilters,鈥 鈥楢dd a filter鈥 and we will add the trust store folder location which is at ETC Trust Store.
And save.
Now we can build the package which will add the trust store to the actual package file.
Go to 鈥楳ore,鈥 and replicate. And this will push the package out to the AEM Publish and preview services.
Next, we鈥檒l need an AEM developer tag configuration files to our AEM project, and then deploy them to AEM as a cloud service via cloud manager. The first set of configurations are OSGI configurations. So we鈥檒l add those to the 鈥榰i.config鈥 project. We鈥檒l drill down 鈥榮rc/main/content鈥, 鈥榡cr_root鈥, 鈥榓pps,鈥 our project name, 鈥渙sgiconfig.鈥 And we鈥檒l be putting ours in the config.publish folder, Since AEM鈥檚 SAML integration is only supported on the Publish service tier.
Note that we鈥檒l also be using OSGI configuration variables to abstract out some of the values so we don鈥檛 need to recreate the same configurations and duplicate them across the more specific run world folders such as publish.dev, publish.prod, and publish.stage.
All right, so the first OSGI configuration we鈥檒l create is for the SAML authentication handler. So let鈥檚 go ahead and create a new file and we鈥檒l use the OSGI factory configuration PID, to name this file.
Note that this is a factory configuration so you can have multiple configurations for the SAML authentication handler deployed to AEM. And the unique identifier for each configuration is denoted after the tilde here. So I鈥檓 going to go ahead and change this from SAML to Okta, just to be a little bit more clear as to what this SAML authentication handler is configuring. But you can name this ID segment after the tilde anything you want I鈥檒l go ahead and paste in some of the base properties that we鈥檒l need to configure, and let鈥檚 go through these and fill them out. So the first is the paths that this authentication handler will be responsible for authenticating requests for. So keep in mind that this does not necessarily mean these paths require authentication. It simply means that if there are protected resources beneath these paths, that this authentication handler configuration will be invoked to try to authenticate the users. Since we鈥檙e adding this for the WKND website and we know that the WKND website resides under 鈥/content/wknd,鈥 let鈥檚 go ahead and add that as our first path. We can add other related paths. So for instance we could add 鈥/content/dam/wknd鈥 to make sure that if anyone directly requests an asset, that they鈥檙e also sent through this authentication flow. And before we move on I want to tie this back to something we configured in IDP. And you鈥檒l remember that we specified the single sign-on URL. And we specified this as the Publish origin 鈥/content/wknd/SAML鈥 login. So the reason that we picked 鈥/content/wknd鈥 as part of the single sign on URL is because I knew that we would be configuring 鈥/content/wknd鈥 as one of the paths that the SAML authentication handler would be responsible for managing authentication for. So in order to ensure that this authentication handler was invoked, I set the sign in URL to be 鈥/content/wknd,鈥 and then that well known suffix 鈥/saml_login.鈥 Next up is the IDP cert alias and this is the cert alias in AEM鈥檚 Global Trust Store that contains the public cert provided by the IDP. So we can get this by going back to AEM, 鈥楾ools,鈥 鈥楽ecurity,鈥 opening the trust store, and simply copying the cert alias. The IDP identifier is optional, however most IDPs provide this and it鈥檚 a nice way to tie back any AEM user creation to specific IDPs. So let鈥檚 go ahead and add this. Head back to the IDP.
And in Okta we can view the setup instructions, and we have the identity provider issuer which acts essentially as a unique ID for this particular SAML integration. So we can use this.
Next is the IDP URL, and this is where AEM Publish will send the Author requests that will initiate the SAML authentication with the IDP. And this is provided right here in the IDP. So we can take that, paste it in. Next step is the service provider entity ID and this is what we configured in the audience field when we set up our IDP. So we can go back to the general tab, locate audience restriction, and we can simply copy this value.
We鈥檒l keep using encryption set to false. Setting use encryption to true requires AEM to provide a public and private key. The public key will be installed on the IDP, and the private key installed on AEM. And this facilitates the signing of the Author request, as well as the encryption of the SAML assertion. Next step is the user ID attribute. This is the SAML attribute that contains the value that will be used as the AEM User ID. And if we look on our IDP, you can see that we have mapped UID attribute to the user email. So if we wanted to use the user鈥檚 email as it exists in Okta we could provide UID in this field, or whatever the SAML assertions attribute that contains that as named. If we leave this blank, it will by default use the SAML assertion鈥檚 subject name. And in the case of my IDP configuration, that happens to be the email address. So I鈥檓 going to leave this blank and it鈥檒l actually just use the subject name.
Next step is create user. You almost always want 鈥榗reate user set to true,鈥 as this will automatically create any non-existent AEM users in AEM upon successful authentication, to the IDP. Next step is the intermediate path. And this is the intermediate path in AEM under /homeusers. Any users created during the authentication SAML flow will reside under it. So for instance, we could set this to 鈥渨knd/okta鈥 if we wanted to clearly delineate which users in the JCR were created using the WKND Okta SAML integration.
Next up is the synchronized attributes, and this allows us to synchronize attributes from the IDP and persist them to the AEM user鈥檚 profile. So let鈥檚 go ahead and do this for some of the attributes that we set up in our IDP. So we have those listed under the attribute statements here. And the format is the SAML assertion attribute name. So in this case it鈥檚 鈥渇irst name.鈥 And don鈥檛 get this confused with what the SAML assertion attribute is mapped to in the IDP, which in this case is 鈥渦ser.first name.鈥 And then we set equals to and this is the relative property path from the user鈥檚 node that we鈥檒l store this value in. So typically these are stored under profile and then a property. So given name is the native property in AEM that stores the first name. Let鈥檚 do the same for the last name.
And lastly, let鈥檚 save the UID, which we鈥檝e configured to contain the user鈥檚 email, and save it to the AEM Profiles email property. All right, almost done. The last two fields have to do with managing membership of the user in AEM after they logged in. 鈥淎dd group membership鈥 simply means that the user鈥檚 group membership will be managed during authentication, so they鈥檒l be added or removed to any of the necessary groups as defined in the configuration. So we鈥檒l leave this to true. And then we can set default groups that this user will be added to. So in this case, let鈥檚 just add them to our WKND members AEM user group, so that once they authenticate, they鈥檙e able to access the members only area. Note that this integration can also dynamically assign memberships based on group names sent down from the IDP via the SAML assertion. The last thing I want to do before we tackle the other OSGI configurations, is to abstract some of these values out using OSGI environment variables.
So what we can do is use a specific syntax, and so we鈥檒l add a dollar sign, square bracket, ENV, colon, and now we can make up a variable name, though of course you want to keep the semantics. So I鈥檓 going to name this 鈥淪AML_IDP_Cert_Alias,鈥 since this is for the SAML integration and it defines the cert alias for the IDPs public cert. And then I can put a semicolon, and I can even say 鈥渄efault equals鈥 and then provide the value I pasted in as a default value. And then I want to make sure that I finish this up with another square bracket. So essentially what I鈥檝e done here is I鈥檝e abstracted the value that will be injected into this property using an OSGI environment variable named 鈥淪AML_IDP_CERT_ALIAS鈥 that I can manage in cloud managers UI.
Let鈥檚 skip ahead to where I鈥檝e done this for some of the other OSGI properties.
The nice thing about using OSGI environment variables is it allows us to create a single OSGI configuration that we can use across multiple service types or environment types. So for example, it鈥檚 likely that we would use a development IDP application on our development environment, and a production IDP application for our stage and production environments. We can update any of these OSGI configuration values in cloud managers UI without a new code deployment. We have two more OSGI configurations to go, so let鈥檚 keep moving. The second OSGI configuration is the sling refer filter OSG config. So I鈥檒l open mine up, and this is located under our config.publish folder. This OSG configuration was autogenerated when I created this project using the AEM Maven project archetype. If you don鈥檛 have this OSGI configuration you can certainly add your own. So there are two properties we want to focus on in this OSGI configuration, and that鈥檚 the allowed hosts. So for this, we鈥檒l put in the domain or host that the IDP runs on, and we can get this from the IDP. So we鈥檒l head over and grab the domain name that the IDP runs on and will be accessed from, and place it in here. I recommend not providing the scheme, so the HDP or HDPS prefix. If you do provide the scheme, you鈥檒l have to provide a port as well as part of the URL. So this would be 443 for HTTPs, or you could essentially whitelist it and put a zero.
But if we leave the scheme off and simply put the domain name, both HTTP and HTTPS referring requests from this domain will be allowed. I鈥檒l go ahead and abstract this out as a OSGI environment variable as well, since this might be something we would want to change based on our environment types.
And we鈥檒l just use this value as the default. Note that you could also use the 鈥渁llow host regular expression鈥 property above, if you know that you鈥檒l be using a variety of IDP URLs across your environments that match a specific pattern. But we鈥檒l keep ours simple and use the exact domain. The last thing we need to do is make sure that the filter.methods includes the post method. And this is because the IDP will orchestrate an HTTP post back to AEM containing the SAML assertion, and we want to make sure that that request comes through. Okay, the last OSGI configuration we need is a cross origin resource sharing config. So just like before, we鈥檒l make a new OSGI config under config.publish, and I鈥檒l paste in the factory PID for CORS.
And I鈥檒l also paste in the properties that we鈥檒l need to fill out. And do note that since CORS is a factory configuration you can have multiple CORS policies defined for an AEM environment. So for example, as you can see here, I鈥檝e just created a new SAML CORS policy, but we鈥檝e already had a WKND GraphQL policy, as well. But that鈥檚 fine. I typically like to break out the CORS policies for whatever use case that they鈥檙e supporting, and that鈥檚 why we have a brand new one for SAML.
Back to the OSGI configuration, we have to fill out these properties here. So 鈥榓llowed origin鈥 will be similar to the refer filter where we need to put in the IDP鈥檚 origin. In this case we鈥檒l want to provide the HTTPS prefix as well. So let鈥檚 go ahead and pop that in. And just like before, let鈥檚 abstract this out into an OSGI configuration environment variable in case we need to change it per environment later.
Next up are the 鈥榓llowed paths.鈥 These are the AEM repository paths that will support cross origin resource sharing requests from the allowed origin defined here. So in our case, our IDP will be making an HTTP post to 鈥/content/wknd/saml_login鈥 So we could put this path here. The other thing we could do is make this a little bit more flexible and replace this with a regular expression and do 鈥.*/saml_login,鈥 And this will allow our IDP to make cross origin resource sharing requests to any path in AEM that ends with 鈥/saml_login.鈥 So let鈥檚 keep this, since it鈥檚 just a little bit more flexible. Lastly, we have 鈥榮upported methods,鈥 and just like the refer filter we need to make sure that post is enumerated here since the IDP will be orchestrating that HTTP post back to AEM with our SAML assertion. All right, so I think that should do it for our OSGI configs. The last thing we need to do is set up our dispatcher. So let鈥檚 head over and do that. I鈥檒l head over to our dispatcher project 鈥榮rc,鈥 鈥榗onf_dispatcherd,鈥 鈥榝ilters,鈥 and I鈥檒l open the 鈥榝ilters.any鈥 file.
And we can go ahead and make a new allow filter in our 鈥榝ilters.any鈥 file The method is post, since the IDP is orchestrating that HTTP post containing the SAML assertion. And we can set the URL to be anything that ends with 鈥渟aml_login,鈥 just like our CORS OSGI configuration.
I鈥檒l add a quick comment so we don鈥檛 forget what this is for, and we should be about ready to go. The last thing I just want to call out is if you鈥檙e doing any sort of rewriting at the Apache web server level, just make sure that any of these HTTP posts to the 鈥/content/wknd/saml_login鈥 endpoint are not being mangled. And we can double check this by going to 鈥榗onf,鈥 鈥榬ewrites,鈥 鈥榬ewrite_rules.鈥 And as we can see here our SAML login will be caught by this rule. Since we鈥檙e posting to 鈥/content/wknd/saml_login,鈥 we鈥檙e fine. If we were running our SAML login off the root of AEM and we were essentially a single tenant situation, this role here would prevent any sort of mangling of that URL. So it looks like we鈥檙e good to go.
The last thing we need to do is commit our changes to GIT, and push it up to cloud manager and deploy it to our AEM as a cloud service environment.
All right, with our updated configuration, push up to cloud manager GIT. Let鈥檚 go ahead and deploy it to our dev environment.
So we鈥檒l go down, find our dev deployment pipeline, which is hooked up to our development branch, which we pushed our configuration changes to. We鈥檒l simply run this.
Now that our SAML configuration is deployed to our AEM as a cloud service environment, let鈥檚 try it out on our AEM Publish service. So I have the weekend site up, and I鈥檓 going to navigate to the magazine page. And I鈥檝e added a new button to the 鈥楳embers Only鈥 section that prompts us to sign in to access our members only articles.
Clicking this button will initiate the authentication with the IDP, which will create a user for me and authenticate me to AEM Publish, and then take me to the 鈥楳embers Only鈥 page. So let鈥檚 try this out. I鈥檒l click the button. We鈥檙e taken to our IDP, which is Okta. I鈥檒l go ahead and sign into Okta.
And upon successful authentication, I鈥檓 taken back to our WKND site running on AEM Publish, and I鈥檓 logged in. You can see that I鈥檓 on the protected WKND members page so I can navigate into the various protected members only articles. And you can also see up here at the top, that as part of my authentication, I was able to sync in my first name and last name from the IDP to my AEM profile, so I can now display these attributes as part of the web experience. I know this video was a little long, but I hope this will help you set up SAML authentication with AEM Publish. -
This video walks through of setting up SAML 2.0 integration with AEM as a Cloud Service Publish service, and using Okta as the IDP.
Prerequisites
The following are required when setting up SAML 2.0 authentication:
- Deployment Manager access to Cloud Manager
- AEM Administrator access to AEM as a Cloud Service environment
- Administrator access to the IDP
- Optionally, access to a public/private keypair used to encryption SAML payloads
SAML 2.0 is only supported to authenticate uses to AEM Publish or Preview. To manage the authentication of AEM Author using and IDP, .
Install IDP public certificate on AEM
The IDP鈥檚 public certificate is added to AEM鈥檚 Global Trust Store, and used to validate the SAML assertion sent by the IDP is valid.
- User authenticates to IDP.
- IDP generates a SAML assertion containing the user鈥檚 data.
- IDP signs the SAML assertion using the IDP鈥檚 private certificate.
- IDP initiates a client-side HTTP POST to AEM Publish鈥檚 SAML endpoint (
.../saml_login
) that includes the signed SAML assertion. - AEM Publish receives the HTTP POST containing the signed SAML assertion, can validate the signature using the IDP public certificate.
-
Obtain the public certificate file from the IDP. This certificate allows AEM to validate the SAML assertion provided to AEM by the IDP.
The certificate is in PEM format, and should resemble:
code language-none -----BEGIN CERTIFICATE----- MIIC4jCBAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV ... m0eo2USlSRTVl7QHRTuiuSThHpLKQQ== -----END CERTIFICATE-----
-
Log in to AEM Author as an AEM Administrator.
-
Navigate to Tools > Security > Trust Store.
-
Create or open the Global Trust Store. If creating a Global Trust Store, store the password some place safe.
-
Expand Add certificate from CER file.
-
Select Select Certificate File, and upload the certificate file provided by the IDP.
-
Leave Map Certificate to User blank.
-
Select Submit.
-
The newly added certificate appears above the Add certificate from CRT file section.
-
Make note of the alias, as this value is used in the SAML 2.0 Authentication Handler OSGi configuration.
-
Select Save & Close.
The Global Trust Store is configured with the IDP鈥檚 public certificate on AEM Author, but since SAML is only used on AEM Publish, the Global Trust Store must be replicated to AEM Publish for the IDP public certificate to be accessible there.
-
Navigate to Tools > Deployment > Packages.
-
Create a package
- Package name:
Global Trust Store
- Version:
1.0.0
- Group:
com.your.company
- Package name:
-
Edit the new Global Trust Store package.
-
Select the Filters tab, and add a filter for the root path
/etc/truststore
. -
Select Done and then Save.
-
Select the Build button for the Global Trust Store package.
-
Once built, select More > Replicate to activate the Global Trust Store node (
/etc/truststore
) to AEM Publish.
Create authentication-service keystore authentication-service-keystore
Creating a keystore for authentication-service is required when the SAML 2.0 authentication handler OSGi configuration property handleLogout
is set to true
or when AuthnRequest signing/SAML assertion ecryption is required
-
Log in to AEM Author as an AEM Administrator, to upload the private key.
-
Navigate to Tools > Security > Users, and select authentication-service user, and select Properties from the top action bar.
-
Select the Keystore tab.
-
Create or open the keystore. If creating a keystore, keep the password safe.
- A public/private keystore is installed into this keystore only if AuthnRequest signing/SAML assertion encryption is required.
- If this SAML integration supports logout, but not AuthnRequest signing/SAML assertion, then an empty keystore is sufficient.
-
Select Save & Close.
-
Create a package containing the updated authentication-service user.
Use the following temporary workaround using packages:
-
Navigate to Tools > Deployment > Packages.
-
Create a package
- Package name:
Authentication Service
- Version:
1.0.0
- Group:
com.your.company
- Package name:
-
Edit the new Authentication Service Key Store package.
-
Select the Filters tab, and add a filter for the root path
/home/users/system/cq:services/internal/security/<AUTHENTICATION SERVICE UUID>/keystore
.- The
<AUTHENTICATION SERVICE UUID>
can be found by navigating to Tools > Security > Users, and selecting authentication-service user. The UUID is the last part of the URL.
- The
-
Select Done and then Save.
-
Select the Build button for the Authentication Service Key Store package.
-
Once built, select More > Replicate to activate the Authentication Service key store to AEM Publish.
-
Install AEM public/private key pair install-aem-public-private-key-pair
Installing the AEM public/private key pair is optional
AEM Publish can be configured to sign AuthnRequests (to IDP), and encrypt SAML assertions (to AEM). This is achieved by providing a private key to AEM Publish, and it鈥檚 matching public key to the IDP.
The AuthnRequest (the request to the IDP from AEM Publish that initiates the login process) can be signed by AEM Publish. To do this, AEM Publish signs the AuthnRequest using the private key, that the IDP then validates the signature using the public key. This guarantees to the IDP that AuthnRequest was initiated, and requested by AEM Publish, and not a malicious third party.
- User makes an HTTP request to AEM Publish that results in an SAML authentication request to the IDP.
- AEM Publish generates the SAML request to send to the IDP.
- AEM Publish signs the SAML request using AEM鈥檚 private key.
- AEM Publish initiates the AuthnRequest, an HTTP client-side redirect to the IDP that contains the signed SAML request.
- IDP receives the AuthnRequest, and validates the signature using AEM鈥檚 public key, guaranteeing AEM Publish initiated the AuthnRequest.
- AEM Publish then validates the decrypted SAML assertion鈥檚 integrity and authenticity using the IDP public certificate.
All HTTP communication between IDP and AEM Publish should be over HTTPS, and thus secure by default. However, as required, SAML assertions can be encrypted in the event extra confidentiality is required on top of that provided by HTTPS. To do this, the IDP encrypts the SAML Assertion data using the private key, and AEM Publish decrypts the SAML assertion using the private key.
- User authenticates to IDP.
- IDP generates a SAML assertion containing the user鈥檚 data, and signs it using the IDP鈥檚 private certificate.
- IDP then encrypts the SAML assertion with AEM鈥檚 public key, which requires the AEM private key to decrypt.
- The encrypted SAML assertion is sent, by way of the user鈥檚 web browser to AEM Publish.
- AEM Publish receives the SAML assertion, and decrypts it using AEM鈥檚 private key.
- IDP prompts user to authenticate.
Both AuthnRequest signing, and SAML assertion encryption are optional, however they are both enabled, using the SAML 2.0 authentication handler OSGi configuration property useEncryption
, meaning both or neither can be used.
-
Obtain the public key, private key (PKCS#8 in DER format), and certificate chain file (this may be the public key) used to sign the AuthnRequest, and encrypt the SAML assertion. The keys are typically provided by the IT organization鈥檚 security team.
- A self-signed key pair can be generated using openssl:
code language-none $ openssl req -x509 -sha256 -days 365 -newkey rsa:4096 -keyout aem-private.key -out aem-public.crt # Provide a password (keep in safe place), and other requested certificate information # Convert the keys to AEM's required format $ openssl rsa -in aem-private.key -outform der -out aem-private.der $ openssl pkcs8 -topk8 -inform der -nocrypt -in aem-private.der -outform der -out aem-private-pkcs8.der
-
Upload the public key to the IDP.
- Using the
openssl
method above, the public key is theaem-public.crt
file.
- Using the
-
Log in to AEM Author as an AEM Administrator, to upload the private key.
-
Navigate to Tools > Security > Trust Store, and select authentication-service user, and select Properties from the top action bar.
-
Navigate to Tools > Security > Users, and select authentication-service user, and select Properties from the top action bar.
-
Select the Keystore tab.
-
Create or open the keystore. If creating a keystore, keep the password safe.
-
Select Add private key from DER file, and add the private key and chain file to AEM:
- Alias: Provide a meaningful name, often the name of the IDP.
- Private key file: Upload the private key file (PKCS#8 in DER format).
- Using the
openssl
method above, this is theaem-private-pkcs8.der
file
- Using the
- Select certificate chain file: Upload the accompanying chain file (this may be the public key).
- Using the
openssl
method above, this is theaem-public.crt
file
- Using the
- Select Submit
-
The newly added certificate appears above the Add certificate from CRT file section.
- Make note of the alias as this is used in the SAML 2.0 authentication handler OSGi configuration
-
Select Save & Close.
-
Create a package containing the updated authentication-service user.
Use the following temporary workaround using packages:
-
Navigate to Tools > Deployment > Packages.
-
Create a package
- Package name:
Authentication Service
- Version:
1.0.0
- Group:
com.your.company
- Package name:
-
Edit the new Authentication Service Key Store package.
-
Select the Filters tab, and add a filter for the root path
/home/users/system/cq:services/internal/security/<AUTHENTICATION SERVICE UUID>/keystore
.- The
<AUTHENTICATION SERVICE UUID>
can be found by navigating to Tools > Security > Users, and selecting authentication-service user. The UUID is the last part of the URL.
- The
-
Select Done and then Save.
-
Select the Build button for the Authentication Service Key Store package.
-
Once built, select More > Replicate to activate the Authentication Service key store to AEM Publish.
-
Configure SAML 2.0 authentication handler configure-saml-2-0-authentication-handler
AEM鈥檚 SAML configuration is performed via the 51黑料不打烊 Granite SAML 2.0 Authentication Handler OSGi configuration.
The configuration is an OSGi factory configuration, meaning a single AEM as a Cloud Service Publish service may have multiple SAML configuration鈥檚 covering discrete resources trees of the repository; this is useful for multi-site AEM deployments.
51黑料不打烊 Granite SAML 2.0 Authentication Handler OSGi configuration configure-saml-2-0-authentication-handler-osgi-configuration
table 0-row-6 1-row-6 2-row-6 3-row-6 4-row-6 5-row-6 6-row-6 7-row-6 8-row-6 9-row-6 10-row-6 11-row-6 12-row-6 13-row-6 14-row-6 15-row-6 16-row-6 17-row-6 18-row-6 19-row-6 20-row-6 21-row-6 22-row-6 23-row-6 24-row-6 25-row-6 26-row-6 27-row-6 3-align-center 4-align-center 10-align-center 11-align-center 17-align-center 18-align-center 24-align-center 25-align-center 31-align-center 32-align-center 38-align-center 39-align-center 45-align-center 46-align-center 52-align-center 53-align-center 59-align-center 60-align-center 66-align-center 67-align-center 73-align-center 74-align-center 80-align-center 81-align-center 87-align-center 88-align-center 94-align-center 95-align-center 101-align-center 102-align-center 108-align-center 109-align-center 115-align-center 116-align-center 122-align-center 123-align-center 129-align-center 130-align-center 136-align-center 137-align-center 143-align-center 144-align-center 150-align-center 151-align-center 157-align-center 158-align-center 164-align-center 165-align-center 171-align-center 172-align-center 178-align-center 179-align-center 185-align-center 186-align-center 192-align-center 193-align-center | |||||
---|---|---|---|---|---|
OSGi property | Required | Value format | Default value | Description | |
Paths | path |
鉁 | String array | / |
AEM paths this authentication handler is used for. |
IDP URL | idpUrl |
鉁 | String | IDP URL the SAML authentication request is sent. | |
IDP certificate alias | idpCertAlias |
鉁 | String | The alias of the IDP certificate found in the AEM鈥檚 Global Trust Store | |
IDP HTTP redirect | idpHttpRedirect |
鉁 | Boolean | false |
Indicates if an HTTP Redirect to the IDP URL instead of sending an AuthnRequest. Set to true for IDP initiated authentication. |
IDP identifier | idpIdentifier |
鉁 | String | Unique IDP Id to ensure AEM user and group uniqueness. If empty, the serviceProviderEntityId is used instead. |
|
Assertion consumer service URL | assertionConsumerServiceURL |
鉁 | String | The AssertionConsumerServiceURL URL attribute in the AuthnRequest specifying where the <Response> message must be sent to AEM. |
|
SP entity Id | serviceProviderEntityId |
鉁 | String | Uniquely identifies AEM to the IDP; usually the AEM host name. | |
SP encryption | useEncryption |
鉁 | Boolean | true |
Indicates if the IDP encrypts SAML assertions. Requires spPrivateKeyAlias and keyStorePassword to be set. |
SP private key alias | spPrivateKeyAlias |
鉁 | String | The alias of the private key in the authentication-service user鈥檚 key store. Required if useEncryption is set to true . |
|
SP key store password | keyStorePassword |
鉁 | String | The password of 鈥榓uthentication-service鈥 user鈥檚 keys store. Required if useEncryption is set to true . |
|
Default redirect | defaultRedirectUrl |
鉁 | String | / |
The default redirect URL after successful authentication. Can be relative to the AEM host (for example, /content/wknd/us/en/html ). |
User Id attribute | userIDAttribute |
鉁 | String | uid |
The name of the SAML assertion attribute containing the user ID of the AEM user. Leave empty to use the Subject:NameId . |
Auto-create AEM users | createUser |
鉁 | Boolean | true |
Indicates if AEM users are created on successful authentication. |
AEM user intermediate path | userIntermediatePath |
鉁 | String | When creating AEM users, this value is used as the intermediate path (for example, /home/users/<userIntermediatePath>/jane@wknd.com ). Requires createUser to be set to true . |
|
AEM user attributes | synchronizeAttributes |
鉁 | String array | List of SAML attribute mappings to store on the AEM user, in the format [ "saml-attribute-name=path/relative/to/user/node" ] (for example, [ "firstName=profile/givenName" ] ). See the full list of native AEM attributes. |
|
Add user to AEM groups | addGroupMemberships |
鉁 | Boolean | true |
Indicates if an AEM user is automatically added to AEM user groups after successful authentication. |
AEM group membership attribute | groupMembershipAttribute |
鉁 | String | groupMembership |
The name of the SAML assertion attribute containing a list of AEM user groups the user should be added to. Requires addGroupMemberships to be set to true . |
Default AEM groups | defaultGroups |
鉁 | String array | A list of AEM user groups authenticated users are always added to (for example, [ "wknd-user" ] ). Requires addGroupMemberships to be set to true . |
|
NameIDPolicy Format | nameIdFormat |
鉁 | String | urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
The value of the NameIDPolicy format parameter to send in the AuthnRequest message. |
Store SAML response | storeSAMLResponse |
鉁 | Boolean | false |
Indicates if the samlResponse value is stored on the AEM cq:User node. |
Handle logout | handleLogout |
鉁 | Boolean | false |
Indicates if logout request is handled by this SAML authentication handler. Requires logoutUrl to be set. |
Logout URL | logoutUrl |
鉁 | String | IDP鈥檚 URL where the SAML logout request is sent to. Required if handleLogout is set to true . |
|
Clock tolerance | clockTolerance |
鉁 | Integer | 60 |
IDP and AEM (SP) clock skew tolerance when validating SAML assertions. |
Digest method | digestMethod |
鉁 | String | http://www.w3.org/2001/04/xmlenc#sha256 |
The digest algorithm that the IDP uses when signing a SAML message. |
Signature method | signatureMethod |
鉁 | String | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
The signature algorithm that the IDP uses when signing a SAML message. |
Identity sync type | identitySyncType |
鉁 | default or idp |
default |
Do not change from default for AEM as a Cloud Service. |
Service ranking | service.ranking |
鉁 | Integer | 5002 |
Higher ranking configurations are preferred for the same path . |
AEM user attributes aem-user-attributes
AEM uses the following user attributes, which can be populated via the synchronizeAttributes
property in the 51黑料不打烊 Granite SAML 2.0 Authentication Handler OSGi configuration. Any IDP attributes can be synchronized to any AEM user property, however mapping to AEM use attribute properties (listed below) allows AEM to naturally use them.
table 0-row-2 1-row-2 2-row-2 3-row-2 4-row-2 5-row-2 6-row-2 7-row-2 8-row-2 9-row-2 10-row-2 11-row-2 | |
---|---|
User attribute | Relative property path from rep:User node |
Title (for example, Mrs ) |
profile/title |
Given name (i.e. first name) | profile/givenName |
Family name (i.e. last name) | profile/familyName |
Job title | profile/jobTitle |
Email address | profile/email |
Street address | profile/street |
City | profile/city |
Postal code | profile/postalCode |
Country | profile/country |
Phone number | profile/phoneNumber |
About me | profile/aboutMe |
-
Create an OSGi configuration file in your project at
/ui.config/src/main/content/jcr_root/wknd-examples/osgiconfig/config.publish/com.adobe.granite.auth.saml.SamlAuthenticationHandler~saml.cfg.json
and open in your IDE.- Change
/wknd-examples/
to your/<project name>/
- The identifier after the
~
in the filename should uniquely identify this configuration, so it may be the name of the IDP, such as...~okta.cfg.json
. The value should be alphanumeric with hyphens.
- Change
-
Paste the following JSON into the
com.adobe.granite.auth.saml.SamlAuthenticationHandler~...cfg.json
file, and update thewknd
references as needed.code language-json { "path": [ "/content/wknd", "/content/dam/wknd" ], "idpCertAlias": "$[env:SAML_IDP_CERT_ALIAS;default=certalias___1652125559800]", "idpIdentifier": "$[env:SAML_IDP_ID;default=http://www.okta.com/exk4z55r44Jz9C6am5d7]", "idpUrl": "$[env:SAML_IDP_URL;default=https://dev-5511372.okta.com/app/dev-5511372_aemasacloudservice_1/exk4z55r44Jz9C6am5d7/sso/saml]", "serviceProviderEntityId": "$[env:SAML_AEM_ID;default=https://publish-p123-e456.adobeaemcloud.com]", "useEncryption": false, "createUser": true, "userIntermediatePath": "wknd/idp", "synchronizeAttributes":[ "firstName=profile/givenName" ], "addGroupMemberships": true, "defaultGroups": [ "wknd-users" ] }
-
Update the values as required by your project. See the SAML 2.0 Authentication Handler OSGi configuration glossary above for configuration property descriptions
-
It is recommended, but not required, to use OSGi environment variables and secrets, when values may change out of sync with the release cycle, or when the values different between similar environment types/service tiers. Default values can be set using the
$[env:..;default=the-default-value]"
syntax as shown above.
OSGi configurations per environment (config.publish.dev
, config.publish.stage
, and config.publish.prod
) can be defined with specific attributes if the SAML configuration varies between environments.
Use encryption
When encrypting the AuthnRequest and SAML assertion, the following properties are required: useEncryption
, spPrivateKeyAlias
, and keyStorePassword
. The keyStorePassword
contains a password therefore the value must not be stored in the OSGi configuration file, but rather injected using secret configuration values
-
Open
/ui.config/src/main/content/jcr_root/wknd-examples/osgiconfig/config.publish/com.adobe.granite.auth.saml.SamlAuthenticationHandler~saml.cfg.json
in your IDE. -
Add the three properties
useEncryption
,spPrivateKeyAlias
, andkeyStorePassword
as shown below.code language-json { "path": [ "/content/wknd", "/content/dam/wknd" ], "idpCertAlias": "$[env:SAML_IDP_CERT_ALIAS;default=certalias___1234567890]", "idpIdentifier": "$[env:SAML_IDP_ID;default=http://www.okta.com/abcdef1235678]", "idpUrl": "$[env:SAML_IDP_URL;default=https://dev-5511372.okta.com/app/dev-123567890_aemasacloudservice_1/abcdef1235678/sso/saml]", "serviceProviderEntityId": "$[env:SAML_AEM_ID;default=https://publish-p123-e456.adobeaemcloud.com]", "useEncryption": true, "spPrivateKeyAlias": "$[env:SAML_AEM_KEYSTORE_ALIAS;default=aem-saml-encryption]", "keyStorePassword": "$[secret:SAML_AEM_KEYSTORE_PASSWORD]", "createUser": true, "userIntermediatePath": "wknd/idp" "synchronizeAttributes":[ "firstName=profile/givenName" ], "addGroupMemberships": true, "defaultGroups": [ "wknd-users" ] }
-
The three OSGi configuration properties required for encryption are:
useEncryption
set totrue
spPrivateKeyAlias
contains the keystore entry alias for the private key used by the SAML integration.keyStorePassword
contains an OSGi secret configuration variable containing theauthentication-service
user keystore鈥檚 password.
Configure Referrer filter
During the SAML authentication process, the IDP initiates a client-side HTTP POST to AEM Publish鈥檚 .../saml_login
end point. If the IDP and AEM Publish exist on different origin, AEM Publish鈥檚 Referrer Filter is configured via OSGi configuration to allow HTTP POSTs from the IDP鈥檚 origin.
-
Create (or edit) an OSGi configuration file in your project at
/ui.config/src/main/content/jcr_root/wknd-examples/osgiconfig/config.publish/org.apache.sling.security.impl.ReferrerFilter.cfg.json
.- Change
/wknd-examples/
to your/<project name>/
- Change
-
Ensure the
allow.empty
value is set totrue
, theallow.hosts
(or if you prefer,allow.hosts.regexp
) contains the IDP鈥檚 origin, andfilter.methods
includesPOST
. The OSGi configuration should be similar to:code language-json { "allow.empty": true, "allow.hosts.regexp": [ ], "allow.hosts": [ "$[env:SAML_IDP_REFERRER;default=dev-123567890.okta.com]" ], "filter.methods": [ "POST", ], "exclude.agents.regexp": [ ] }
AEM Publish supports a single Referrer filter configuration, so merge the SAML configuration requirements, with any existing configurations.
OSGi configurations per environment (config.publish.dev
, config.publish.stage
, and config.publish.prod
) can be defined with specific attributes if the allow.hosts
(or allow.hosts.regex
) vary between environments.
Configure Cross-Origin Resource Sharing (CORS)
During the SAML authentication process, the IDP initiates a client-side HTTP POST to AEM Publish鈥檚 .../saml_login
end point. If the IDP and AEM Publish exist on different hosts/domains, AEM Publish鈥檚 CRoss-Origin Resource Sharing (CORS) must be configured to allow HTTP POSTs from the IDP鈥檚 host/domain.
This HTTP POST request鈥檚 Origin
header usually has a different value than the AEM Publish host, thus requiring CORS configuration.
When testing SAML authentication on the local AEM SDK (localhost:4503
), the IDP may set the Origin
header to null
. If so, add "null"
to the alloworigin
list.
-
Create an OSGi configuration file in your project at
/ui.config/src/main/content/jcr_root/wknd-examples/osgiconfig/config.publish/com.adobe.granite.cors.impl.CORSPolicyImpl~saml.cfg.json
- Change
/wknd-examples/
to your project name - The identifier after the
~
in the filename should uniquely identify this configuration, so it may be the name of the IDP, such as...CORSPolicyImpl~okta.cfg.json
. The value should be alphanumeric with hyphens.
- Change
-
Paste the following JSON into the
com.adobe.granite.cors.impl.CORSPolicyImpl~...cfg.json
file.
{
"alloworigin": [
"$[env:SAML_IDP_ORIGIN;default=https://dev-1234567890.okta.com]",
"null"
],
"allowedpaths": [
".*/saml_login"
],
"supportedmethods": [
"POST"
]
}
OSGi configurations per environment (config.publish.dev
, config.publish.stage
, and config.publish.prod
) can be defined with specific attributes if the alloworigin
and allowedpaths
varies between environments.
Configure AEM Dispatcher to allow SAML HTTP POSTs
After successful authentication to the IDP, the IDP will orchestrate an HTTP POST back to AEM鈥檚 registered /saml_login
end point (configured in the IDP). This HTTP POST to /saml_login
is blocked by default at Dispatcher, so it must be explicitly allowed using the following Dispatcher rule:
- Open
dispatcher/src/conf.dispatcher.d/filters/filters.any
in your IDE. - Add to the bottom of the file, an allow rule for HTTP POSTs to URLs that end with
/saml_login
.
...
# Allow SAML HTTP POST to ../saml_login end points
/0190 { /type "allow" /method "POST" /url "*/saml_login" }
If URL rewriting at the Apache webserver is configured (dispatcher/src/conf.d/rewrites/rewrite.rules
), ensure that requests to the .../saml_login
end points are not accidentally mangled.
How to enable Dynamic Group Membership for SAML Users in new environments
To significantly enhance group evaluation performance in new AEM as a Cloud Service environments, the activation of the Dynamic Group Membership feature is recommended in new environments.
This is also a necessary step when data synchronization is activated. More details here .
To do this, add the following property to the OSGI configuration file:
/apps/example/osgiconfig/config.publish/com.adobe.granite.auth.saml.SamlAuthenticationHandler~example.cfg.json
With this configuration, users and groups are created as . In AEM, external users and groups have a default rep:principalName
composed by [user name];[idp]
or [group name];[idp]
.
Remark that Access Control Lists (ACL) are associated with the PrincipalName of users or groups.
When deploying this configuration in an existing deployment where previously identitySyncType
was not specified or set to default
, new users and groups will be created and ACL must be applied to these new users and groups. Note that external groups cannot contain local users. can be used to create ACL for SAML External groups, even if they will be only created when the user will perform a login.
To avoid this refactoring on ACL, a standard migration feature has been implemented.
How memberships are stored in local and external groups with dynamic group membership
On local groups the group members are stored in the oak attribute: rep:members
. The attribute contains the list of uid of every member of the group. Additional details can be found .
Example:
{
"jcr:primaryType": "rep:Group",
"rep:principalName": "operators",
"rep:managedByIdp": "SAML",
"rep:members": [
"635afa1c-beeb-3262-83c4-38ea31e5549e",
"5e496093-feb6-37e9-a2a1-7c87b1cec4b0",
...
],
...
}
External groups with dynamic group membership do not store any member in the group entry.
The group membership is instead stored in the users entries. Additional documentation can be found . For example this is the OAK node for the group:
{
"jcr:primaryType": "rep:Group",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"jcr:createdBy": "",
"jcr:created": "Tue Jul 16 2024 08:58:47 GMT+0000",
"rep:principalName": "GROUP_1;aem-saml-idp-1",
"rep:lastSynced": "Tue Jul 16 2024 08:58:47 GMT+0000",
"jcr:uuid": "d9c6af8a-35c0-3064-899a-59af55455cd0",
"rep:externalId": "GROUP_1;aem-saml-idp-1",
"rep:authorizableId": "GROUP_1;aem-saml-idp-1"
}
This is the node for a user member of that group:
{
"jcr:primaryType": "rep:User",
"jcr:mixinTypes": [
"rep:AccessControllable"
],
"surname": "Test",
"rep:principalName": "testUser",
"rep:externalId": "test;aem-saml-idp-1",
"rep:authorizableId": "test",
"rep:externalPrincipalNames": [
"projects-users;aem-saml-idp-1",
"GROUP_2;aem-saml-idp-1",
"GROUP_1;aem-saml-idp-1",
"operators;aem-saml-idp-1"
],
...
}
Automatic migration to dynamic group membership for existing environments
When this migration is enabled, it is carried out during user authentication and consists of the following steps:
- The local user is migrated to an external user while maintaining the original username. This implies that migrated local users, now acting as external users, retain their original username instead of following the naming syntax mentioned in the previous section. One additional property will be added called:
rep:externalId
with the value of[user name];[idp]
. The userPrincipalName
is not modified. - For each external group received in the SAML Assertion, an external group is created. If a corresponding local group exists, the external group is added to the local group as a member.
- The user is added as member of the external group.
- The local user is then removed from all the Saml local groups he was member of. Saml local groups are identified by the OAK property:
rep:managedByIdp
. This property is set by the Saml Authentication handler when the attributesyncType
is not specified or set todefault
.
For instance, if before the migration user1
is a local user and a member of local group group1
, after the migration the following changes will occur:user1
becomes an external user. The attribute rep:externalId
is added to his profile.user1
becomes member of external group: group1;idp
user1
is no longer a direct member of local group: group1
group1;idp
is a member of the local group: group1
.user1
is then a member of the local group: group1
though inheritance
The group membership for external groups is stored in the user profile in the attribute rep:authorizableId
How to configure automatic migration to dynamic group membership
- Enable the property
"identitySyncType": "idp_dynamic_simplified_id"
in SAML OSGI configuration file:com.adobe.granite.auth.saml.SamlAuthenticationHandler~...cfg.json
: - Configure the new OSGI service with PID:
com.adobe.granite.auth.saml.migration.SamlDynamicGroupMembershipMigration~...
with the property:
{
"idpIdentifier": "<vaule of identitySyncType of saml configuration to be migrated>"
}
Deploying SAML configuration
The OSGi configurations must be committed to Git and deployed to AEM as a Cloud Service using Cloud Manager.
$ git remote -v
adobe https://git.cloudmanager.adobe.com/myOrg/myCloudManagerGit/ (fetch)
adobe https://git.cloudmanager.adobe.com/myOrg/myCloudManagerGit/ (push)
$ git add .
$ git commit -m "SAML 2.0 configurations"
$ git push adobe saml-auth:develop
Deploy the target Cloud Manager Git branch (in this example, develop
), using a Full Stack deployment pipeline.
Invoking the SAML authentication
The SAML authentication flow can be invoked from an AEM Site web page, by creating a specially crafted links, or a buttons. The parameters described below can be programmatically set as needed, so for instance, a log in button may set the saml_request_path
, which is where the user is taken upon successful SAML authentication, to different AEM pages, based on the context of the button.
Secured Caching while using SAML
On the AEM publish instance, most pages are typically cached. However, for SAML-protected paths, caching should either be disabled or secured caching enabled using the auth_checker configuration. For more information, please refer to the details provided here
Please be aware that if you cache protected paths without enabling the auth_checker, you may experience unpredictable behavior.
GET request
SAML authentication can be invoked by creating a HTTP GET request in the format:
HTTP GET /system/sling/login
and providing query parameters:
resource
path
property.saml_request_path
For example, this HTML link will trigger the SAML log in flow, and upon success take the user to /content/wknd/us/en/protected/page.html
. These query parameters can be programmaticaly set as needed.
<a href="/system/sling/login?resource=/content/wknd&saml_request_path=/content/wknd/us/en/protected/page.html">
Log in using SAML
</a>
POST request
SAML authentication can be invoked by creating a HTTP POST request in the format:
HTTP POST /system/sling/login
and providing the form data:
resource
path
property.saml_request_path
For example, this HTML button will use a HTTP POST to trigger the SAML log in flow, and upon success, take the user to /content/wknd/us/en/protected/page.html
. These form data parameters can be programmaticaly set as needed.
<form action="/system/sling/login" method="POST">
<input type="hidden" name="resource" value="/content/wknd">
<input type="hidden" name="saml_request_path" value="/content/wknd/us/en/protected/page.html">
<input type="submit" value="Log in using SAML">
</form>
Dispatcher configuration
Both the HTTP GET and POST methods require client access to AEM鈥檚 /system/sling/login
endpoints, and thus they must be allowed via AEM Dispatcher.
Allow the necessary URL patterns based on if GET or POST isused
# Allow GET-based SAML authentication invocation
/0191 { /type "allow" /method "GET" /url "/system/sling/login" /query "*" }
# Allow POST-based SAML authentication invocation
/0192 { /type "allow" /method "POST" /url "/system/sling/login" }