Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

AEM 6.2 - SAML Authentication

Avatar

Level 2

Hi,

 

I'm trying to handle SAML connection with AEM 6.2. I'm used to do it with AEM 5.6.1 but things has change with the way we have to manage certs and private key.

In AEM 5.6.1, I used to put keys in /etc/key/saml and then /public (for my public .crt), /private (for my private .p8c) and /idp_cert for the IDP cert.

 

With AEM 6.2 (based on 6.1 configuration here :  http://www.aemstuff.com/blogs/july/saml.html), I have to put the idp cert in the global truststore.

I have also have to create an empty keystore if I don't use encryption for my queries.

But what should I do with my public .crt and private .p8c files ? Was I doing it for nothing on AEM 5.6.1 if I don't use encryption ? 

 

If anyone can explain all this certs stuff that I was thinking to understand, I would be happy to read it :)
 

Regards,

Grégory

13 Replies

Avatar

Level 10

We are looking within Adobe for a good response for you. We will be doing a GEMS session on this as well

https://docs.adobe.com/ddc/en/gems/saml-and-aem.html

Avatar

Level 2

Thank you!

I would be please to follow it.

 

However, "More details will follow beginning of July 2016", my customer will not wait that long, exceptation is 4th of July in production.
Do you have any draft document that could help me making my configuration ?

Regards,

Grégory

Avatar

Level 2

By the way, the official adobe documentation mention nodes in /etc/key/saml for AEM 6.2

https://docs.adobe.com/docs/en/aem/6-2/administer/security/saml-2-0-authenticationhandler.html

Is this a mistake ? :(

 

I really don't get it since 6.2 :S

Avatar

Level 10

no more required /etc/key...  doc need correction. issue has logged internally

Avatar

Level 2

smacdonald2008 wrote...

We are looking within Adobe for a good response for you. We will be doing a GEMS session on this as well

https://docs.adobe.com/ddc/en/gems/saml-and-aem.html

 

Hi,

Can I have a look at the record of the live session? I miss it and I'm not able to find the record on the page you gave.

 

Regards,

Grégory

Avatar

Administrator

Gregory Paillard wrote...

smacdonald2008 wrote...

We are looking within Adobe for a good response for you. We will be doing a GEMS session on this as well

https://docs.adobe.com/ddc/en/gems/saml-and-aem.html

 

Hi,

Can I have a look at the record of the live session? I miss it and I'm not able to find the record on the page you gave.

 

Regards,

Grégory

 

Keep a watch on :- https://docs.adobe.com/content/ddc/en/gems.html

It will be updated soon.

~kautuk



Kautuk Sahni

Avatar

Level 10

Registered for the session.

I hope to get a step by step tutorial on this subject, that I could try myself after the session.

Thanks,

Rama.

Avatar

Level 10

Grégory,

  • IDP public key is mandatory (idp_cert)
  • If you are using encryption then asymmetric cryptography that is another pair of public & private key is required.
  • If you are not using encryption of attributes it is not required to have. From your description sounds like it was not required in your 5.6.1 set up.
  • In any case ,assuming you are using encryption then need to upload that sp pair of keys into your empty keystore
  • Feel free to make use of official support channels to meet your timelines.

Thanks,

Sham

Avatar

Level 2

Sham HC wrote...

Grégory,

  • IDP public key is mandatory (idp_cert)
  • If you are using encryption then asymmetric cryptography that is another pair of public & private key is required.
  • If you are not using encryption of attributes it is not required to have. From your description sounds like it was not required in your 5.6.1 set up.
  • In any case ,assuming you are using encryption then need to upload that sp pair of keys into your empty keystore
  • Feel free to make use of official support channels to meet your timelines.

Thanks,

Sham

 


Ok, but SAML request can be signed without being encrypt.

In 5.6.1, it seems to me that adding a public and private key allow me to sign the request (means you have a signature block in the saml token). But I never checked encryption, my saml tokens where signed and login was working.

I assume the same for 6.2 and put my couple private public in the keystore. SAML request and response are signed.

 

For now I'm facing an issue with the server timezone because of the notBefore parameter. I'll tell you when it'll be fix.

 

Regards,

Grégory

Avatar

Level 10

Gregory Paillard wrote...

 

For now I'm facing an issue with the server timezone because of the notBefore parameter.

 

 

configure the tolerance in saml authentication handler. Default is 2 second.

Avatar

Level 2

Sham HC wrote...

Gregory Paillard wrote...

 

For now I'm facing an issue with the server timezone because of the notBefore parameter.

 

 

configure the tolerance in saml authentication handler. Default is 2 second.

 


Fix by changing the timezone of the AEM server :)

 

But now facing an "invalid signature" without any logs, really annoying...

Avatar

Level 10

Gregory Paillard wrote...


 

But now facing an "invalid signature" without any logs,

 

If possible attach the har file ( (Steps to generate har file at https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file)) and public certificate you have uploaded. Otherwise engage through official support chanel.

Avatar

Level 2

Sham HC wrote...

Gregory Paillard wrote...


 

But now facing an "invalid signature" without any logs,

 

If possible attach the har file ( (Steps to generate har file at https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file)) and public certificate you have uploaded. Otherwise engage through official support chanel.

 

Here you can download the HAR file and the ADFS public certificate (can't add ZIP file on the forum) : https://we.tl/TLIvWTjgvv

Many thanks for your help.

 

Grégory