Expand my Community achievements bar.

AEM SAML Authentication

Avatar

Level 2

Hi All,

 

We have configured SAML Authentication with Microsoft Azure. We are able to invoke the authentication when we are loading the page on browser for the pages checked as granite:AuthenticationRequired. But other than this we have login and logout buttons also.

 

1. How do we invoke SAML authentication on click of login ?

2. How do we invoke logout functionality on click of logout ?

11 Replies

Avatar

Level 6

Hi @ayush_aem ,

 

1. For login you can configure the AEM login /libs/granite/core/content/login.html, then AEM should redirect to SAML via com.adobe.granite.auth.saml.SamlAuthenticationHandler, where you have different properties - read more https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authentic... 

Example configuration

addGroupMemberships=B"true"
assertionConsumerServiceURL=""
clockTolerance=I"60"
createUser=B"true"
defaultGroups=[]
defaultRedirectUrl=""
digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
groupMembershipAttribute=""
handleLogout=B""
identitySyncType="default"
idpCertAlias=""
idpHttpRedirect=B"false"
idpIdentifier="IDPIdentifier"
idpUrl="https://login.microsoftonline.com/..."
keyStorePassword=""
logoutUrl=""
nameIdFormat=""
path=["/"]
service.ranking=I"5002"
serviceProviderEntityId=""
signatureMethod=""
spPrivateKeyAlias=""
storeSAMLResponse=B"false"
synchronizeAttributes=[""]
useEncryption=B"false"
userIDAttribute=""
userIntermediatePath=""

2. For logout you can call /system/sling/logout.html

Avatar

Level 2

Hi @anupampat , I already tried both the approaches. For login I allowed the path in dispatcher and then when I hit the page I am getting the default AEM login screen and not the SAML Authentication screen. Not sure if I am missing something.

 

For logout, when I call /system/sling/logout.html, the session is not getting killed at the IDP end. It takes the user to login screen, but on refresh the session is again retrieved.

Avatar

Level 4

I would recommend SAML with Azure for Authoring only as you have to mention path as "/" and entire authoring is generally protected. 

 

For live sites though, it is best to use OAUTH 2.0 Azure approach. Ideal approach is to have Login component to show login button when Azure cookies are not present and logout when Azure cookies are present. You can also look at login-token cookie. Clicking on Login button, you can trigger the Oauth login and for logout you should remove login-token cookie and call IDP for logout separately. 

 

OAuth login is similar to how Twitter login that is present OOTB. 

Avatar

Community Advisor

Hi @ayush_aem 

To log out, you just need to provide the URL which will be provided by IDP, and YES this works for me. After hitting the /system/sling/logout.html?resource=/content/aem-demo this will be done by AEM itself. Where the /content/aem-demo is the configuration "path" you provided in SamlAuthenticationHandler.

"logoutUrl": "http://localhost:8080/realms/aem-local/protocol/saml",

This will log out from AEM as well as from IDP.

Note: If you need a country or project-based setup you can set the specific path. Otherwise for each page make private you just put path="/"

Avatar

Employee

@ayush_aem did you implement this functionality? If yes, could you post here how you resolved this? I too have a similar requirement where on login page (publish tier) I need to give two options to the users

  1. - login with SAML - SSO
  2. - login with form based authentication (username and password)

1 On click of SSO button, I tried POSTing as well as GETing SAML IDP URL. In both cases, after the SAML assertion I get the following errror:

HTTP 422
Unprocessable Entity
The server understands the media type of the request entity, but was unable to process the contained instructions. 

EDIT: This issue is resolved now. The reason for 422-Unprocessable Entity was that I was pointing saml_assertionConsumerServiceURL to a non SAML SSO gaurded URL. This resulted in the default servlet (SlingPostServlet) invocation which did not know how to process the SAML response POSTed from the IDP. Changing assertionConsumerUrl to a SAML SSO guarded URL did the trick.

Avatar

Employee

@ayush_aem  regarding your question

1. How do we invoke SAML authentication on click of login ?

 

you need to do something similar to this:

<a href="/system/sling/login?resource=/content/some/sso/protected/path.html&saml_request_path=/content/wknd/PageToBeShownAfterLogin.html">Login with SSO</a>

 The parameter resource ensures that SAML SSO is triggered and the parameter saml_request_path redirects the user to the required page after successful login

Avatar

Community Advisor

Hello @MadhuGubby ,
I tried to follow the same approach hench I also got a similar way to do this from other thread. But in my case it's not working,

 

  "path": "/content/my-project",
  "service.ranking": 5004,
  "idpUrl": "http://localhost:8080/idp/login?app=0sp2x000000XZEs",
  "idpCertAlias": "admin#1712131102739",
  "idpHttpRedirect": false,
  "serviceProviderEntityId": "abbviepro:hcp:saml20:sp",
  "assertionConsumerServiceURL": "http://localhost:4503/content/my-project/saml_login",

 

but I got the following error, where default-login is auth required page for SAML trigger. 

Sady_Rifat_0-1715851757039.png

What did I wrong? can you help me in this case?

 

Avatar

Employee

@Sady_Rifat  the "path" must be an array.  Additionally ensure that idpCertAlias is not bound to any user. We just need to create a trust store, upload the certificate, make a note of the cert alias name and activate the trust store to publish  (/etc/truststore) via a package

Avatar

Community Advisor

In OSGI the path perfectly set as an array.

When I hit directly http://localhost:4503/content/my-project/de/de/default-login.html it redirect to me IDP and other users journeys are working fine as expected.
My only problem is only related to login button. I cannot trigger SAML by click on login button.
Note: The logout functionality is working fine in my case (IDP + SP).

Avatar

Administrator

@ayush_aem Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni