AEM SAML Authentication | Community
Skip to main content
A
AyushAg3
Level 2
March 28, 2024

AEM SAML Authentication

  • March 28, 2024
  • 6 replies
  • 2941 views

Hi All,

 

We have configured SAML Authentication with Microsoft Azure. We are able to invoke the authentication when we are loading the page on browser for the pages checked as granite:AuthenticationRequired. But other than this we have login and logout buttons also.

 

1. How do we invoke SAML authentication on click of login ?

2. How do we invoke logout functionality on click of logout ?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

6 replies

anupampat
Community Advisor
anupampatCommunity Advisor
Community Advisor
March 28, 2024

Hi @ayushag3 ,

 

1. For login you can configure the AEM login /libs/granite/core/content/login.html, then AEM should redirect to SAML via com.adobe.granite.auth.saml.SamlAuthenticationHandler, where you have different properties - read more https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authenticationhandler 

Example configuration

addGroupMemberships=B"true" assertionConsumerServiceURL="" clockTolerance=I"60" createUser=B"true" defaultGroups=[] defaultRedirectUrl="" digestMethod="http://www.w3.org/2001/04/xmlenc#sha256" groupMembershipAttribute="" handleLogout=B"" identitySyncType="default" idpCertAlias="" idpHttpRedirect=B"false" idpIdentifier="IDPIdentifier" idpUrl="https://login.microsoftonline.com/..." keyStorePassword="" logoutUrl="" nameIdFormat="" path=["/"] service.ranking=I"5002" serviceProviderEntityId="" signatureMethod="" spPrivateKeyAlias="" storeSAMLResponse=B"false" synchronizeAttributes=[""] useEncryption=B"false" userIDAttribute="" userIntermediatePath=""

2. For logout you can call /system/sling/logout.html

    A
    AyushAg3Author
    Level 2
    March 28, 2024

    Hi @anupampat , I already tried both the approaches. For login I allowed the path in dispatcher and then when I hit the page I am getting the default AEM login screen and not the SAML Authentication screen. Not sure if I am missing something.

     

    For logout, when I call /system/sling/logout.html, the session is not getting killed at the IDP end. It takes the user to login screen, but on refresh the session is again retrieved.

      trc41594544
      trc41594544
      Level 3
      March 28, 2024

      I would recommend SAML with Azure for Authoring only as you have to mention path as "/" and entire authoring is generally protected. 

       

      For live sites though, it is best to use OAUTH 2.0 Azure approach. Ideal approach is to have Login component to show login button when Azure cookies are not present and logout when Azure cookies are present. You can also look at login-token cookie. Clicking on Login button, you can trigger the Oauth login and for logout you should remove login-token cookie and call IDP for logout separately. 

       

      OAuth login is similar to how Twitter login that is present OOTB. 

        A
        Community Advisor
        AlbinIs1Community Advisor
        Community Advisor
        March 28, 2024

        I assume you are referring to enabling the login for the publisher (live sites). Please refer to the post below for more details.

        Enable User Authentication for AEM Websites — Azure AD B2C | SAML Application with Azure AD B2C | by Albin Issac | Tech Learnings | Medium

        Enable User Authentication for AEM Websites — Azure AD B2C OAuth 2.0 | by Albin Issac | Tech Learnings | Medium

        Regards

        Albin

        https://www.albinsblog.com

        Albin Issac – Medium

          Sady_Rifat
          Community Advisor
          Sady_RifatCommunity Advisor
          Community Advisor
          March 29, 2024

          Hi @ayushag3 

          To log out, you just need to provide the URL which will be provided by IDP, and YES this works for me. After hitting the /system/sling/logout.html?resource=/content/aem-demo this will be done by AEM itself. Where the /content/aem-demo is the configuration "path" you provided in SamlAuthenticationHandler.

          "logoutUrl": "http://localhost:8080/realms/aem-local/protocol/saml",

          This will log out from AEM as well as from IDP.

          Note: If you need a country or project-based setup you can set the specific path. Otherwise for each page make private you just put path="/"

            M
            Adobe Employee
            MadhuGubbyAdobe Employee
            Adobe Employee
            May 10, 2024

            @ayushag3 did you implement this functionality? If yes, could you post here how you resolved this? I too have a similar requirement where on login page (publish tier) I need to give two options to the users

            1. - login with SAML - SSO
            2. - login with form based authentication (username and password)

            1 On click of SSO button, I tried POSTing as well as GETing SAML IDP URL. In both cases, after the SAML assertion I get the following errror:

            HTTP 422
            Unprocessable Entity
            The server understands the media type of the request entity, but was unable to process the contained instructions. 

            EDIT: This issue is resolved now. The reason for 422-Unprocessable Entity was that I was pointing saml_assertionConsumerServiceURL to a non SAML SSO gaurded URL. This resulted in the default servlet (SlingPostServlet) invocation which did not know how to process the SAML response POSTed from the IDP. Changing assertionConsumerUrl to a SAML SSO guarded URL did the trick.

              M
              Adobe Employee
              MadhuGubbyAdobe Employee
              Adobe Employee
              May 15, 2024

              @ayushag3  regarding your question

              1. How do we invoke SAML authentication on click of login ?

               

              you need to do something similar to this:

              <a href="/system/sling/login?resource=/content/some/sso/protected/path.html&saml_request_path=/content/wknd/PageToBeShownAfterLogin.html">Login with SSO</a>

               The parameter resource ensures that SAML SSO is triggered and the parameter saml_request_path redirects the user to the required page after successful login

                Sady_Rifat
                Community Advisor
                Sady_RifatCommunity Advisor
                Community Advisor
                May 16, 2024

                Hello @madhugubby ,
                I tried to follow the same approach hench I also got a similar way to do this from other thread. But in my case it's not working,

                 

                "path": "/content/my-project", "service.ranking": 5004, "idpUrl": "http://localhost:8080/idp/login?app=0sp2x000000XZEs", "idpCertAlias": "admin#1712131102739", "idpHttpRedirect": false, "serviceProviderEntityId": "abbviepro:hcp:saml20:sp", "assertionConsumerServiceURL": "http://localhost:4503/content/my-project/saml_login",

                 

                but I got the following error, where default-login is auth required page for SAML trigger. 

                What did I wrong? can you help me in this case?

                 

                  M
                  Adobe Employee
                  MadhuGubbyAdobe Employee
                  Adobe Employee
                  May 16, 2024

                  @sady_rifat  the "path" must be an array.  Additionally ensure that idpCertAlias is not bound to any user. We just need to create a trust store, upload the certificate, make a note of the cert alias name and activate the trust store to publish  (/etc/truststore) via a package

                    kautuk_sahni
                    Community Manager
                    kautuk_sahniCommunity Manager
                    Community Manager
                    May 16, 2024

                    @ayushag3 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

                    Kautuk Sahni
                    Terms & ConditionsAccessibility statement

                    Loading footer...