SAML 2 SSO questions | Community
Skip to main content
S
Sam205505050
Level 6
October 16, 2015
Solved

SAML 2 SSO questions

  • October 16, 2015
  • 10 replies
  • 4855 views

Dear experts,

I'm following this tutorial to integrate SAML with AEM. After following all those steps, when I hit the url: http://10.141.21.140:4502 then AEM redirects to "https://10.141.21.140:8443/idp/profile/SAML2/POST/SSO" and error message was displayed in the browser as "SAML 2 SSO profile is not configured for relying party http://10.141.21.140" and error.log displays as -

GET / HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

 GET / HTTP/1.1] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

I have few basic doubts due to lack of knowledge :(

1. Do I need to set up Service provider (SP) seperatly first or Tomact instance will be treated as both service provider and identity provider?

When I downloaded the IdP files then I see that $SAML_IDP_HOME/conf/relying-party.xml has the entry

 <rp:RelyingParty id="www.blogsaml.com"
        provider="http://www.blogsaml.com"  
        defaultSigningCredentialRef="IdPCredential" .......... </rp:RelyingParty>

Is http://www.blogsaml.com considered as Service Provider here?

2. One of the point is mentioned as

  • Add below meta data file at <SAML_IDP_HOME>/metadata/adobecq.xml

Which certificate it is referred? Is it <SAML_IDP_HOME>/credentials/idp.crt or the certificate which is referred by Tomcat?

Looking forward for you valuable help! Thank you

Sam

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by Sham_HC

    Sam205505050 wrote...

    Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this  

    You are confusing Shibboleth configuration with CQ.  With the setting described above what happened is when saml sent an response the attribute "somegroup" does not have group value "administrators"   & hence cq did not assigned.  

    The saml does not sent a group value because definition of attribute and ldap is wrong. So you need to update attribute-resolver.xml also. Hope it clarifies your doubt. 

    10 replies

    Sham_HC
    Sham_HC
    Level 10
    October 16, 2015

    1)     It is an unique name known as an "entityID" used in SAML deployments by identity and service providers.

    2)     Inside the metadata file adobecq.xml certificate is present & refer the tag <X509Certificate>

    S
    Sam205505050Author
    Level 6
    October 16, 2015

    Thanks Sham for your help again!

    I was able to make it work but I have 2 questions though 

    1. It seems that there is a known bug with Logout. I found this thread. Do you have any hotfix available for this?

    2. I observed that LDAP user does not get assign to CRX group autometically unless I set groupMembership specifically as word "group" in felix console and attribute id "group" in attibute_filter.xml for LDAP user attibute businessCategory. I looked at SamlAuthenticationHandler file but could not find any hardcord value is mentioned. Could you please tell me why only "group" is working? How it is related to businessCategory attibute internally?

    Thank you for your help

    Sam

    Sham_HC
    Sham_HC
    Level 10
    October 16, 2015

    Sam205505050 wrote...

    Thanks Sham for your help again!

    I was able to make it work but I have 2 questions though 

    1. It seems that there is a known bug with Logout. I found this thread. Do you have any hotfix available for this?

    2. I observed that LDAP user does not get assign to CRX group autometically unless I set groupMembership specifically as word "group" in felix console and attribute id "group" in attibute_filter.xml for LDAP user attibute businessCategory. I looked at SamlAuthenticationHandler file but could not find any hardcord value is mentioned. Could you please tell me why only "group" is working? How it is related to businessCategory attibute internally?

    Thank you for your help

    Sam

     

    1.   I would treat as feature missing rather than bug & comes under enhancement.  Right now the workaround would be use expiry time of the IdP-cookie to logout in an SAML SSO. There is no hotfix file daycare requesting for feature pack.

    2.    The published kb article just uses one attribute businessCategory & is for demo purpose. The attribute can be anything which actually stores group info & is not hardcoded however what ever you configure in groupMembership at http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler  will be used. In your case it is group & in kb article it is businessCategory.  In real time each customer has own attributes & hence configarable. 

    J
    Adobe Employee
    JustinEd3Adobe Employee
    Adobe Employee
    October 16, 2015

    Hi Sam,

    Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.

    Feel free to private message me if the IDP name is proprietary (although I'm guessing that others in this forum would be interested too).

    Regards,

    Justin

    S
    Sam205505050Author
    Level 6
    October 16, 2015

    Sham HC wrote...

     

    2.    The published kb article just uses one attribute businessCategory & is for demo purpose. The attribute can be anything which actually stores group info & is not hardcoded however what ever you configure in groupMembership at http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler  will be used. In your case it is group & in kb article it is businessCategory.  In real time each customer has own attributes & hence configarable. 

     

     

    Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this  

    Sham_HC
    Sham_HC
    Level 10
    October 16, 2015

    justin_at_adobe wrote...

    Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.

    Locally I use Shibboleth.  With logout need to take care of 2 things expiry time of the IdP-cookie plus should match with cq token expire.  

    S
    Sam205505050Author
    Level 6
    October 16, 2015

    Sham HC wrote...

    justin_at_adobe wrote...

    Not to hijack this thread, but would you mind posting the IDP you use? I was working on a project recently and found that Single Logout support was pretty inconsistent between IDPs. So even though AEM doesn't support it today, I'd be curious what you have been successful in using.

    Locally I use Shibboleth.  With logout need to take care of 2 things expiry time of the IdP-cookie plus should match with cq token expire.  

     

    Thanks Sham for the explanation and how do I set expiry time of the IdP-cookie same as cq token? 

    J
    Adobe Employee
    JustinEd3Adobe Employee
    Adobe Employee
    October 16, 2015

    Hi Sham, Thanks, but I was actually asking Sam smiley

    Support for Single Logout (SLO) seems highly variable between SAML IDPs. Shibboleth has only partial support (see note on https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues).

    Sham_HC
    Sham_HCAccepted solution
    Level 10
    October 16, 2015

    Sam205505050 wrote...

    Thank you for explanation, My doubt is what is the significance of the word "group" has in relation with businessCategory attribute in LDAP user profile. When I changed attribute id in attribute_filter.xml and groupMemebership in felix console as "somegroup" then user does not get assign to group "administrators" autometically. I think there is a mapping between businessCategory attribute and the word "group". kindly correct me if I am wrong. If so, then where can I read about this  

    You are confusing Shibboleth configuration with CQ.  With the setting described above what happened is when saml sent an response the attribute "somegroup" does not have group value "administrators"   & hence cq did not assigned.  

    The saml does not sent a group value because definition of attribute and ldap is wrong. So you need to update attribute-resolver.xml also. Hope it clarifies your doubt. 

      Sham_HC
      Sham_HC
      Level 10
      October 16, 2015

      justin_at_adobe wrote...

      Hi Sham, Thanks, but I was actually asking Sam smiley

      sorry..

      Terms & ConditionsAccessibility statement

      Loading footer...