Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

How to get configure SAML and get certificate alias, script certificate upload to truststore job.

Avatar

Level 1

Hi

I'm working on AEM 6.1 sp1. I'm dealing with 2 issues, one I'm not able to get SP Private Key Alias, second I'm not able to script the steps of SAML configuration,description below.

I've uploaded idp certificate, and also mine certificate and private key to /etc/key/saml as binaries. But it comes out when I go to Adobe Granite SAML 2.0 Authentication Handler configuration it requires from me 2xcertificate alias.

It comes out that I have to upload it thru truststore /libs/granite/security/content/useradmin.html to get alias. 

So I''m uploading the idp.pem and I recive an alias - thats ok, but as it is wrote in SAML Handler configuration I need "SP Private Key Alias" - but non of the files that I generated either  SP-server.pem or SP-server.PKCS8.key don't give me alias. Only when I upload the SP-server.crt I'm reciving alias. So at this moment I'm not sure if its correct or not? Where to get "SP Private Key Alias" ?

 

Second thing is even more important is I'm not able to do manual steps on production environment, but I can deliver content packages or scripts to be run - and here is a problem how to configure the above steps using scripts? Or what part of jcr I have to pack to provide the trustore with certificates. Of course Adobe Granite SAML 2.0 Authentication Handler configuration is not a problem to be uploaded.

 

Below is how I generate the keys and certificates.

openssl genrsa -out SP-server.pem 1024 - private key generate

openssl req -new -key SP-server.pem -out SP-server.csr -  certificate signing request

openssl x509 -req -days 365 -in SP-server.csr -signkey SP-server.pem -out SP-server.crt -  generate signed certificate

openssl pkcs8 -topk8 -inform PEM -outform DER -in SP-server.pem -nocrypt > SP-server.PKCS8.key -Convert a PEM file to DER

 

So after running those commands I get

SP-server.pem

SP-server.csr

SP-server.crt

SP-server.PKCS8.key

And idp.pem which I get from IDP 

4 Replies

Avatar

Level 10

AEM Docs on SAML does not go into this level of detail. Here is a GEMS session on SAML that may be helpful: 

https://docs.adobe.com/ddc/en/gems/saml-and-aem.html

I hope this helps. 

Avatar

Level 1

Just for other users that will search for info

"Storing SP certifcates and private key in the repository under the paths /etc/key/saml/[public|idp_cert|private] is no longer supported since the release com.adobe.granite.auth.saml-0.3.26 (DOC-8250, DOC-5509) "

Still didn't figure out how to script trustore steps.

Avatar

Level 1

Did you ever resolve this? I have the same issue where I do not have access to /libs/granite/security/content/useradmin.html in our production and staging environments.

Avatar

Level 1

This is so frustrating.   Why does AEM make everything so hard!!