Expand my Community achievements bar.

SOLVED

SAML 2 SSO questions

Avatar

Level 6

Dear experts,

I'm following this tutorial to integrate SAML with AEM. After following all those steps, when I hit the url: http://10.141.21.140:4502 then AEM redirects to "https://10.141.21.140:8443/idp/profile/SAML2/POST/SSO" and error message was displayed in the browser as "SAML 2 SSO profile is not configured for relying party http://10.141.21.140" and error.log displays as -

GET / HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

 GET / HTTP/1.1] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

I have few basic doubts due to lack of knowledge :(

1. Do I need to set up Service provider (SP) seperatly first or Tomact instance will be treated as both service provider and identity provider?

When I downloaded the IdP files then I see that $SAML_IDP_HOME/conf/relying-party.xml has the entry

 <rp:RelyingParty id="www.blogsaml.com"
        provider="http://www.blogsaml.com"  
        defaultSigningCredentialRef="IdPCredential" .......... </rp:RelyingParty>

Is http://www.blogsaml.com considered as Service Provider here?

2. One of the point is mentioned as

  • Add below meta data file at <SAML_IDP_HOME>/metadata/adobecq.xml

Which certificate it is referred? Is it <SAML_IDP_HOME>/credentials/idp.crt or the certificate which is referred by Tomcat?

Looking forward for you valuable help! Thank you

Sam

1 Accepted Solution

Avatar

Correct answer by
Level 10

Sam205505050 wrote...

Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this  

You are confusing Shibboleth configuration with CQ.  With the setting described above what happened is when saml sent an response the attribute "somegroup" does not have group value "administrators"   & hence cq did not assigned.  

The saml does not sent a group value because definition of attribute and ldap is wrong. So you need to update attribute-resolver.xml also. Hope it clarifies your doubt. 

View solution in original post

10 Replies

Avatar

Level 10

1)     It is an unique name known as an "entityID" used in SAML deployments by identity and service providers.

2)     Inside the metadata file adobecq.xml certificate is present & refer the tag <X509Certificate>

Avatar

Level 6

Thanks Sham for your help again!

I was able to make it work but I have 2 questions though 

1. It seems that there is a known bug with Logout. I found this thread. Do you have any hotfix available for this?

2. I observed that LDAP user does not get assign to CRX group autometically unless I set groupMembership specifically as word "group" in felix console and attribute id "group" in attibute_filter.xml for LDAP user attibute businessCategory. I looked at SamlAuthenticationHandler file but could not find any hardcord value is mentioned. Could you please tell me why only "group" is working? How it is related to businessCategory attibute internally?

Thank you for your help

Sam

Avatar

Level 10

Sam205505050 wrote...

Thanks Sham for your help again!

I was able to make it work but I have 2 questions though 

1. It seems that there is a known bug with Logout. I found this thread. Do you have any hotfix available for this?

2. I observed that LDAP user does not get assign to CRX group autometically unless I set groupMembership specifically as word "group" in felix console and attribute id "group" in attibute_filter.xml for LDAP user attibute businessCategory. I looked at SamlAuthenticationHandler file but could not find any hardcord value is mentioned. Could you please tell me why only "group" is working? How it is related to businessCategory attibute internally?

Thank you for your help

Sam

 

1.   I would treat as feature missing rather than bug & comes under enhancement.  Right now the workaround would be use expiry time of the IdP-cookie to logout in an SAML SSO. There is no hotfix file daycare requesting for feature pack.

2.    The published kb article just uses one attribute businessCategory & is for demo purpose. The attribute can be anything which actually stores group info & is not hardcoded however what ever you configure in groupMembership at http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler  will be used. In your case it is group & in kb article it is businessCategory.  In real time each customer has own attributes & hence configarable. 

Avatar

Employee

Hi Sam,

Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.

Feel free to private message me if the IDP name is proprietary (although I'm guessing that others in this forum would be interested too).

Regards,

Justin

Avatar

Level 6

Sham HC wrote...

 

2.    The published kb article just uses one attribute businessCategory & is for demo purpose. The attribute can be anything which actually stores group info & is not hardcoded however what ever you configure in groupMembership at http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler  will be used. In your case it is group & in kb article it is businessCategory.  In real time each customer has own attributes & hence configarable. 

 

 

Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this  

Avatar

Level 10

justin_at_adobe wrote...

Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.

Locally I use Shibboleth.  With logout need to take care of 2 things expiry time of the IdP-cookie plus should match with cq token expire.  

Avatar

Level 6

Sham HC wrote...

justin_at_adobe wrote...

Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.

Locally I use Shibboleth.  With logout need to take care of 2 things expiry time of the IdP-cookie plus should match with cq token expire.  

 

Thanks Sham for the explanation and how do I set expiry time of the IdP-cookie same as cq token? 

Avatar

Employee

Hi Sham, Thanks, but I was actually asking Sam smiley

Support for Single Logout (SLO) seems highly variable between SAML IDPs. Shibboleth has only partial support (see note on https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues).

Avatar

Correct answer by
Level 10

Sam205505050 wrote...

Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this  

You are confusing Shibboleth configuration with CQ.  With the setting described above what happened is when saml sent an response the attribute "somegroup" does not have group value "administrators"   & hence cq did not assigned.  

The saml does not sent a group value because definition of attribute and ldap is wrong. So you need to update attribute-resolver.xml also. Hope it clarifies your doubt. 

Avatar

Level 10

justin_at_adobe wrote...

Hi Sham, Thanks, but I was actually asking Sam smiley

sorry..