Hi,
I'm trying to handle SAML connection with AEM 6.2. I'm used to do it with AEM 5.6.1 but things has change with the way we have to manage certs and private key.
In AEM 5.6.1, I used to put keys in /etc/key/saml and then /public (for my public .crt), /private (for my private .p8c) and /idp_cert for the IDP cert.
With AEM 6.2 (based on 6.1 configuration here : http://www.aemstuff.com/blogs/july/saml.html), I have to put the idp cert in the global truststore.
I have also have to create an empty keystore if I don't use encryption for my queries.
But what should I do with my public .crt and private .p8c files ? Was I doing it for nothing on AEM 5.6.1 if I don't use encryption ?
If anyone can explain all this certs stuff that I was thinking to understand, I would be happy to read it :)
Regards,
Grégory
Views
Replies
Total Likes
We are looking within Adobe for a good response for you. We will be doing a GEMS session on this as well
https://docs.adobe.com/ddc/en/gems/saml-and-aem.html
.
Views
Replies
Total Likes
Thank you!
I would be please to follow it.
However, "More details will follow beginning of July 2016", my customer will not wait that long, exceptation is 4th of July in production.
Do you have any draft document that could help me making my configuration ?
Regards,
Grégory
Views
Replies
Total Likes
By the way, the official adobe documentation mention nodes in /etc/key/saml for AEM 6.2
https://docs.adobe.com/docs/en/aem/6-2/administer/security/saml-2-0-authenticationhandler.html
Is this a mistake ? :(
I really don't get it since 6.2 :S
Views
Replies
Total Likes
no more required /etc/key... doc need correction. issue has logged internally
Views
Replies
Total Likes
smacdonald2008 wrote...
We are looking within Adobe for a good response for you. We will be doing a GEMS session on this as well
https://docs.adobe.com/ddc/en/gems/saml-and-aem.html
.
Hi,
Can I have a look at the record of the live session? I miss it and I'm not able to find the record on the page you gave.
Regards,
Grégory
Views
Replies
Total Likes
Gregory Paillard wrote...
smacdonald2008 wrote...
We are looking within Adobe for a good response for you. We will be doing a GEMS session on this as well
https://docs.adobe.com/ddc/en/gems/saml-and-aem.html
.
Hi,
Can I have a look at the record of the live session? I miss it and I'm not able to find the record on the page you gave.
Regards,
Grégory
Keep a watch on :- https://docs.adobe.com/content/ddc/en/gems.html
It will be updated soon.
~kautuk
Views
Replies
Total Likes
Registered for the session.
I hope to get a step by step tutorial on this subject, that I could try myself after the session.
Thanks,
Rama.
Views
Replies
Total Likes
Grégory,
Thanks,
Sham
Views
Replies
Total Likes
Sham HC wrote...
Grégory,
IDP public key is mandatory (idp_cert)
If you are using encryption then asymmetric cryptography that is another pair of public & private key is required.
If you are not using encryption of attributes it is not required to have. From your description sounds like it was not required in your 5.6.1 set up.
In any case ,assuming you are using encryption then need to upload that sp pair of keys into your empty keystore
Feel free to make use of official support channels to meet your timelines.
Thanks,
Sham
Ok, but SAML request can be signed without being encrypt.
In 5.6.1, it seems to me that adding a public and private key allow me to sign the request (means you have a signature block in the saml token). But I never checked encryption, my saml tokens where signed and login was working.
I assume the same for 6.2 and put my couple private public in the keystore. SAML request and response are signed.
For now I'm facing an issue with the server timezone because of the notBefore parameter. I'll tell you when it'll be fix.
Regards,
Grégory
Views
Replies
Total Likes
Gregory Paillard wrote...
For now I'm facing an issue with the server timezone because of the notBefore parameter.
configure the tolerance in saml authentication handler. Default is 2 second.
Views
Replies
Total Likes
Sham HC wrote...
Gregory Paillard wrote...
For now I'm facing an issue with the server timezone because of the notBefore parameter.
configure the tolerance in saml authentication handler. Default is 2 second.
Fix by changing the timezone of the AEM server :)
But now facing an "invalid signature" without any logs, really annoying...
Views
Replies
Total Likes
Gregory Paillard wrote...
But now facing an "invalid signature" without any logs,
If possible attach the har file ( (Steps to generate har file at https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file)) and public certificate you have uploaded. Otherwise engage through official support chanel.
Views
Replies
Total Likes
Sham HC wrote...
Gregory Paillard wrote...
But now facing an "invalid signature" without any logs,
If possible attach the har file ( (Steps to generate har file at https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file)) and public certificate you have uploaded. Otherwise engage through official support chanel.
Here you can download the HAR file and the ADFS public certificate (can't add ZIP file on the forum) : https://we.tl/TLIvWTjgvv
Many thanks for your help.
Grégory
Views
Replies
Total Likes
Views
Like
Replies
Views
Likes
Replies