Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM 6.4 SAML integration with SSO

pradeepd1320668
Level 2
Level 2

Hello All,

 

I am integrating AEM with SSO authentication using SAML 2.0

ID provider has provided me below detail.

1. Certificate - This I uploaded in TrustStore, noted the alias name and mentioned in SAML 2.0 authentication handler

2. IDP endpoint URL - This I added in SAML 2.0 authentication handler

3. IDP metadata URL - Not sure where to use this.

 

After following AEM recommended SAML integration steps/process. And did all necessary changes in apache sling referrer filter. Still when I am opening AEM pages, it is not redirecting to SSO login page. I tried open the AEM page after clearing browser history also in chrome incognito mode.

Do I need to do anything in the KeyStore section for authentication-service user? I just set KeyStore password only. ID provider didn't share anything related to KeyStore.

 

All this exercise I am doing in my local author instance. 

 

Please share the links/steps if anyone have solved similar problem?

 

Thanks,

Pradeep

 

1 Accepted Solution
Sandeep6
Correct answer by
Level 5
Level 5
15 Replies
Sandeep6
Correct answer by
Level 5
Level 5
pradeepd1320668
Level 2
Level 2
I am still facing the issue. SAML integration if anyone done successfully , please share the steps or any document link.
Ankur_Khare
Community Advisor
Community Advisor

Hi,

Metadata would be used to create certificates.

And saml to work properly you need to update sling auth with relevant filters where saml should be called .

Ankur_Khare
Community Advisor
Community Advisor

Recently i did the saml integration -

 

1. you need to get the end points and you need to update the same in saml config.

2. You need to get the certificate from the team(in our case it was open am).

3. Certificate which you recieved need to be uploaded in truststore and get the unique id, update  the same in idp certificate alias-

4. update the idp url

5. update service provider entity id

 

Ankur_Khare_0-1606387794086.png

 

 

Once above is completed-

 

Check sling auth config where you want to trigger the saml config-

Ankur_Khare_1-1606388056165.png

 

 

Update the authentication requirements config.

 

Also do update the sling referrer filter to allow your sso domain-

 

Ankur_Khare_2-1606388151605.png

 

 

Create the keystore for authentication service user.

 

Then it should work.

pradeepd1320668
Level 2
Level 2
Yes it is working after adding entry to 'sling authentication service'. Only issue is my page is redirecting to same page infinitely.
Ankur_Khare
Community Advisor
Community Advisor
Now do one thing try deleting keystore and recreate it will work
Ankur_Khare
Community Advisor
Community Advisor
also recreate truststore and update the same in saml config
pradeepd1320668
Level 2
Level 2

KeyStore there is nothing, only a password was set. Now I have reset the password and deleted the TrustStore certificate and uploaded again. Still page is redirecting infinitely to same page. Took new certificate alias and configured in SAML auth handler. Still no luck.

Ankur_Khare
Community Advisor
Community Advisor
go to authentication service user node in crxde and delete the keystore and also make sure certificate alias is correct
pradeepd1320668
Level 2
Level 2
Deleted the keystore folder under authentication-service user and saved. Still same issue.
Ankur_Khare
Community Advisor
Community Advisor
Have u updated the keystore password in saml config?
pradeepd1320668
Level 2
Level 2
In the SAML debug log i am getting below error com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
Ankur_Khare
Community Advisor
Community Advisor
Invalid Assertion: 1 2 com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid. com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request Issue could be with certificate stored in the truststore. Solution here could be to delete and re-upload the new idp_cert and check the use-case. If you are not encypting the SAML response, you can ignore "Private key of SP not provided: Cannot sign Authn request" error.