Level 2

AEM SAML Authentication

Forum|Forum|1 year ago
March 28, 2024
6 replies
2929 views

Hi All,

We have configured SAML Authentication with Microsoft Azure. We are able to invoke the authentication when we are loading the page on browser for the pages checked as granite:AuthenticationRequired. But other than this we have login and logout buttons also.

1. How do we invoke SAML authentication on click of login ?

2. How do we invoke logout functionality on click of logout ?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

anupampat

Community Advisor

Hi @ayushag3 ,

1. For login you can configure the AEM login /libs/granite/core/content/login.html, then AEM should redirect to SAML via com.adobe.granite.auth.saml.SamlAuthenticationHandler, where you have different properties - read more https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authenticationhandler

Example configuration

addGroupMemberships=B"true"
assertionConsumerServiceURL=""
clockTolerance=I"60"
createUser=B"true"
defaultGroups=[]
defaultRedirectUrl=""
digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
groupMembershipAttribute=""
handleLogout=B""
identitySyncType="default"
idpCertAlias=""
idpHttpRedirect=B"false"
idpIdentifier="IDPIdentifier"
idpUrl="https://login.microsoftonline.com/..."
keyStorePassword=""
logoutUrl=""
nameIdFormat=""
path=["/"]
service.ranking=I"5002"
serviceProviderEntityId=""
signatureMethod=""
spPrivateKeyAlias=""
storeSAMLResponse=B"false"
synchronizeAttributes=[""]
useEncryption=B"false"
userIDAttribute=""
userIntermediatePath=""

2. For logout you can call /system/sling/logout.html

A

AyushAg3Author

Level 2

Hi @anupampat , I already tried both the approaches. For login I allowed the path in dispatcher and then when I hit the page I am getting the default AEM login screen and not the SAML Authentication screen. Not sure if I am missing something.

For logout, when I call /system/sling/logout.html, the session is not getting killed at the IDP end. It takes the user to login screen, but on refresh the session is again retrieved.

trc41594544

Level 3

I would recommend SAML with Azure for Authoring only as you have to mention path as "/" and entire authoring is generally protected.

For live sites though, it is best to use OAUTH 2.0 Azure approach. Ideal approach is to have Login component to show login button when Azure cookies are not present and logout when Azure cookies are present. You can also look at login-token cookie. Clicking on Login button, you can trigger the Oauth login and for logout you should remove login-token cookie and call IDP for logout separately.

OAuth login is similar to how Twitter login that is present OOTB.

A

AlbinIs1

Community Advisor

I assume you are referring to enabling the login for the publisher (live sites). Please refer to the post below for more details.

Enable User Authentication for AEM Websites — Azure AD B2C | SAML Application with Azure AD B2C | by Albin Issac | Tech Learnings | Medium

Enable User Authentication for AEM Websites — Azure AD B2C OAuth 2.0 | by Albin Issac | Tech Learnings | Medium

Regards

Albin

https://www.albinsblog.com

Albin Issac – Medium

Sady_Rifat

Community Advisor

Hi @ayushag3

To log out, you just need to provide the URL which will be provided by IDP, and YES this works for me. After hitting the /system/sling/logout.html?resource=/content/aem-demo this will be done by AEM itself. Where the /content/aem-demo is the configuration "path" you provided in SamlAuthenticationHandler.

"logoutUrl": "http://localhost:8080/realms/aem-local/protocol/saml",

This will log out from AEM as well as from IDP.

Note: If you need a country or project-based setup you can set the specific path. Otherwise for each page make private you just put path="/"

M

MadhuGubby

Adobe Employee

@ayushag3 did you implement this functionality? If yes, could you post here how you resolved this? I too have a similar requirement where on login page (publish tier) I need to give two options to the users

- login with SAML - SSO
- login with form based authentication (username and password)

1 On click of SSO button, I tried POSTing as well as GETing SAML IDP URL. In both cases, after the SAML assertion I get the following errror:

HTTP 422
Unprocessable Entity
The server understands the media type of the request entity, but was unable to process the contained instructions.

EDIT: This issue is resolved now. The reason for 422-Unprocessable Entity was that I was pointing saml_assertionConsumerServiceURL to a non SAML SSO gaurded URL. This resulted in the default servlet (SlingPostServlet) invocation which did not know how to process the SAML response POSTed from the IDP. Changing assertionConsumerUrl to a SAML SSO guarded URL did the trick.

M

MadhuGubby

Adobe Employee

@ayushag3 regarding your question

1. How do we invoke SAML authentication on click of login ?

you need to do something similar to this:

<a href="/system/sling/login?resource=/content/some/sso/protected/path.html&saml_request_path=/content/wknd/PageToBeShownAfterLogin.html">Login with SSO</a>

The parameter resource ensures that SAML SSO is triggered and the parameter saml_request_path redirects the user to the required page after successful login

Sady_Rifat

Community Advisor

Hello @madhugubby ,
I tried to follow the same approach hench I also got a similar way to do this from other thread. But in my case it's not working,

  "path": "/content/my-project",
  "service.ranking": 5004,
  "idpUrl": "http://localhost:8080/idp/login?app=0sp2x000000XZEs",
  "idpCertAlias": "admin#1712131102739",
  "idpHttpRedirect": false,
  "serviceProviderEntityId": "abbviepro:hcp:saml20:sp",
  "assertionConsumerServiceURL": "http://localhost:4503/content/my-project/saml_login",

but I got the following error, where default-login is auth required page for SAML trigger.

What did I wrong? can you help me in this case?

M

MadhuGubby

Adobe Employee

@sady_rifat the "path" must be an array. Additionally ensure that idpCertAlias is not bound to any user. We just need to create a trust store, upload the certificate, make a note of the cert alias name and activate the trust store to publish (/etc/truststore) via a package

kautuk_sahni

Community Manager

@ayushag3 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Kautuk Sahni

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded