Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

How to send the SAMLAssertion in AEM 6.1

Avatar

Level 4

Hi 

The scenario is when user hit the AEM author URL then it should redirect to SecureAuth (idp) url with SAMLAssertion information. Basically in SAMLAssertion we want to send the userid in encrypted format. The SecureAuth team will read the SAMLAssertion, get the userid and authenticate the user and send back the SAMLResponse after authentication. Now, at AEM end we need to check if user is authenticated then redirect on AEM dashboard page as well. we are using AEM 6.1.

Any idea to achieve the above scenario?

Thanks

~S

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi,

there is documentation available how you should use the ootb saml functionality [1]. See also the documentation on for 6.1 [2].

kind regards,
Jörg

 

[1] https://helpx.adobe.com/experience-manager/kb/saml-demo.html, it's using Shibboleth and OpenLDAP for demo. If you have already a system offering SAML support, you can concentrate on the AEM part only.

[2] https://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html

View solution in original post

3 Replies

Avatar

Level 4

Hi

Any idea or suggestion?

 

Thanks

~S

Avatar

Level 10

I sent this question to some of our AEM consultants - they replied: 

Baseline: user is not logged into anything, and AEM Author OOTB SAML auth handler is configured.

  1. User requests the URL to AEM Dashboard http://author.company.com/some/url.html
  2. AEM recognizes the user (anonymous) does not have access to “/some/url” and invokes the OOTB Login Selector, which in terms sends the request down the Auth Handler stack invoking the requestCredentials(..) method.
  3. The OOTB SAML Authentication Handler’s requestCredentials(..) will process this “requestCredentials”
    1. OOTB SAML Authentication handler will save the requested URL to a cookie (saml_request_path) for later use
    2. OOTB SAML Authentication handler will redirect the user to the IDP
  4. User enters their credentials in the IDP (note that AEM Is the Service Provider, not the Identity Provider)
  5. IDP will authenticate credentials, if successful
  6. IDP will send a HTML page back to AEM that makes the users browser perform a HTTP POST to http://author.company.com/saml_login with the SAML Assertion
  7. AEM’s OOTB SAML Authentication Handler handles this POST via its extractCredentails(..) method, logs the user in and issue the request a valid login-token cookie
  8. AEM then looks at the saml_request_path cookie (see above) and redirects to that path (in this case http://author.company.com/some/url.html)
  9. The user is logged into AEM (via login-token) and can see the dashboard

You shouldn’t need any code for this — its OOTB SAML Configuration (OSGi Config).

Avatar

Correct answer by
Employee Advisor

Hi,

there is documentation available how you should use the ootb saml functionality [1]. See also the documentation on for 6.1 [2].

kind regards,
Jörg

 

[1] https://helpx.adobe.com/experience-manager/kb/saml-demo.html, it's using Shibboleth and OpenLDAP for demo. If you have already a system offering SAML support, you can concentrate on the AEM part only.

[2] https://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html