saml authentication handler configuration

Hi Kanwaljit.. Double check SlingAuthenticator configuration in your publisher instance. 

You may want to have the /apps/<projectname>/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config with below entries: 

auth.sudo.cookie="sling.sudo"sling.auth.anonymous.user=""auth.annonymous=B"true"sling.auth.requirements=["+/<path to your secured sections of your site>"] auth.sudo.parameter="sudo"auth.http="preemptive"auth.uri.suffix=["/j_security_check"] auth.http.realm="Sling\ (Development)"sling.auth.anonymous.password=""

Hi Kanwal,

did you follow the section on managing cryptographic keys[1]. The keys are not stored under a user, but under "/etc/key/saml/"

How have you been uploading your keys?

Regards,

Opkar

[1] http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html#Managing%20Cryptographic%20Keys

Hey Opkar,

First I followed the process from - www.aemstuff.com/blogs/july/saml.html

Add IdP public cert to AEM truststore

1. • Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
   • Select any user because TrustStore is global to AEM
   • Create trust store by supplying the password & then manage trust store
   • Upload the IdP certificate & make note of the certificate Alias
2. Add SP key and certificate chain to AEM keystore (authentication-service)
   • Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
   • Select authentication-service
   • Create KeyStore by supplying the password

Pls see the attached image that is showing the certificate. If this is not to be followed in AEM 6.1, do let me know

Also, since I am only using un-encrypted communication, Is this WARN message is worth looking at ?

=============

Then I used the curl command in the link you mentioned to upload the IDP certificate.

The thing is that now I am getting a saml packet back from idp(attached) but the error/warning is misleading me.

04.09.2015 16:00:14.701 *WARN* [qtp1338887913-216] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
04.09.2015 16:00:30.000 *INFO* [pool-7-thread-1] com.adobe.granite.taskmanagement.impl.jcr.TaskArchiveService archiving tasks at: 'Fri Sep 04 16:00:30 AEST 2015'
04.09.2015 16:00:31.021 *INFO* [qtp1338887913-228] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

Why would it treat it as anonymous ?

/Regards
Kanwal

attaching saml reponse

Hi Kanwal,

I take it you selected the autocreate option for users in the SAML config?

Can you try it again and this time please manually create your user, then try it again.

Have you enabled the debug level logs for bundle "com.adobe.granite.auth.saml"?

Regards,

Opkar

You basically nailed it  Thanks...

But I still havent got the entire thing working...

• I disabled the AutoCreate option and created the user in AEM and then try to login... All works fine.
• I enabled the AutoCreate option. I disabled the "Add to Groups" checkbox - addGroupMembership. Then try to login... All works fine, user even gets created in AEM. 
  BUT the user always gets added to groups - administrators and everyone
• I enabled the AutoCreate and I enabled the "Add to Groups" checkbox".  Then try to login... I get the same repository exception again.  And user is not created in AEM. 

My use case is to be able to add user to custom groups. These groups will not be coming as part of request but will be known to me in advance. I.e static values. So, I don't want to use the "groupMembershipAttribute" but I need to use the "defaultGroups"

Any ideas please ?

One key thing I added ( without which, it NEVER works) - In the 'Path" field/attribute, I added the path "/saml_login" to list of allowed paths. It seems this is the path that request is being redirected to each time.

/Regards
Kanwal

Hi

Have tried the following steps and I am seeing the following error. Can some one help?

1. Add IdP public cert to AEM truststore
   • Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
   • Select any user(admin) because TrustStore is global to AEM. Uncheck “Map certificate to user” and click submit
   • Create trust store by supplying the password & then manage trust store
   • Upload the IdP certificate & make note of the certificate Alias
2. Add SP key and certificate chain to AEM keystore (authentication-service)
   • Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
   • Select authentication-service
   • Create KeyStore by supplying the password
   • If encrypting SAML assertions then go to manage KeyStore for uploading the private & public key
3. Configure the SAML authentication handler in the web console
   • Go to: http://localhost:4502/system/console/configMgr
   • Search for Adobe Granite SAML 2.0 Authentication Handler
   • Add a new handler configuration and alias here should match with step1.

HTTP ERROR: 500

Problem accessing /saml_login. Reason:

com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store.

Powered by Jetty://

Thanks,

Karthik

keep /saml_login in url list. This is a a fixed / hard-coded url that the saml request will come back to

/Kanwal