Dear experts,
I'm following this tutorial to integrate SAML with AEM. After following all those steps, when I hit the url: http://10.141.21.140:4502 then AEM redirects to "https://10.141.21.140:8443/idp/profile/SAML2/POST/SSO" and error message was displayed in the browser as "SAML 2 SSO profile is not configured for relying party http://10.141.21.140" and error.log displays as -
GET / HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
GET / HTTP/1.1] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
I have few basic doubts due to lack of knowledge :(
1. Do I need to set up Service provider (SP) seperatly first or Tomact instance will be treated as both service provider and identity provider?
When I downloaded the IdP files then I see that $SAML_IDP_HOME/conf/relying-party.xml has the entry
<rp:RelyingParty id="www.blogsaml.com"
provider="http://www.blogsaml.com"
defaultSigningCredentialRef="IdPCredential" .......... </rp:RelyingParty>
Is http://www.blogsaml.com considered as Service Provider here?
2. One of the point is mentioned as
Which certificate it is referred? Is it <SAML_IDP_HOME>/credentials/idp.crt or the certificate which is referred by Tomcat?
Looking forward for you valuable help! Thank you
Sam
Solved! Go to Solution.
Sam205505050 wrote...
Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this
You are confusing Shibboleth configuration with CQ. With the setting described above what happened is when saml sent an response the attribute "somegroup" does not have group value "administrators" & hence cq did not assigned.
The saml does not sent a group value because definition of attribute and ldap is wrong. So you need to update attribute-resolver.xml also. Hope it clarifies your doubt.
1) It is an unique name known as an "entityID" used in SAML deployments by identity and service providers.
2) Inside the metadata file adobecq.xml certificate is present & refer the tag <X509Certificate>
Views
Replies
Total Likes
Thanks Sham for your help again!
I was able to make it work but I have 2 questions though
1. It seems that there is a known bug with Logout. I found this thread. Do you have any hotfix available for this?
2. I observed that LDAP user does not get assign to CRX group autometically unless I set groupMembership specifically as word "group" in felix console and attribute id "group" in attibute_filter.xml for LDAP user attibute businessCategory. I looked at SamlAuthenticationHandler file but could not find any hardcord value is mentioned. Could you please tell me why only "group" is working? How it is related to businessCategory attibute internally?
Thank you for your help
Sam
Views
Replies
Total Likes
Sam205505050 wrote...
Thanks Sham for your help again!
I was able to make it work but I have 2 questions though
1. It seems that there is a known bug with Logout. I found this thread. Do you have any hotfix available for this?
2. I observed that LDAP user does not get assign to CRX group autometically unless I set groupMembership specifically as word "group" in felix console and attribute id "group" in attibute_filter.xml for LDAP user attibute businessCategory. I looked at SamlAuthenticationHandler file but could not find any hardcord value is mentioned. Could you please tell me why only "group" is working? How it is related to businessCategory attibute internally?
Thank you for your help
Sam
1. I would treat as feature missing rather than bug & comes under enhancement. Right now the workaround would be use expiry time of the IdP-cookie to logout in an SAML SSO. There is no hotfix file daycare requesting for feature pack.
2. The published kb article just uses one attribute businessCategory & is for demo purpose. The attribute can be anything which actually stores group info & is not hardcoded however what ever you configure in groupMembership at http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler will be used. In your case it is group & in kb article it is businessCategory. In real time each customer has own attributes & hence configarable.
Views
Replies
Total Likes
Hi Sam,
Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.
Feel free to private message me if the IDP name is proprietary (although I'm guessing that others in this forum would be interested too).
Regards,
Justin
Views
Replies
Total Likes
Sham HC wrote...
2. The published kb article just uses one attribute businessCategory & is for demo purpose. The attribute can be anything which actually stores group info & is not hardcoded however what ever you configure in groupMembership at http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler will be used. In your case it is group & in kb article it is businessCategory. In real time each customer has own attributes & hence configarable.
Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this
Views
Replies
Total Likes
justin_at_adobe wrote...
Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.
Locally I use Shibboleth. With logout need to take care of 2 things expiry time of the IdP-cookie plus should match with cq token expire.
Views
Replies
Total Likes
Sham HC wrote...
justin_at_adobe wrote...
Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.
Locally I use Shibboleth. With logout need to take care of 2 things expiry time of the IdP-cookie plus should match with cq token expire.
Thanks Sham for the explanation and how do I set expiry time of the IdP-cookie same as cq token?
Views
Replies
Total Likes
Hi Sham, Thanks, but I was actually asking Sam
Support for Single Logout (SLO) seems highly variable between SAML IDPs. Shibboleth has only partial support (see note on https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues).
Views
Replies
Total Likes
Sam205505050 wrote...
Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this
You are confusing Shibboleth configuration with CQ. With the setting described above what happened is when saml sent an response the attribute "somegroup" does not have group value "administrators" & hence cq did not assigned.
The saml does not sent a group value because definition of attribute and ldap is wrong. So you need to update attribute-resolver.xml also. Hope it clarifies your doubt.
justin_at_adobe wrote...
Hi Sham, Thanks, but I was actually asking Sam
sorry..
Views
Replies
Total Likes
Views
Likes
Replies