Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

SAML | IDP Certificate through CURL

Avatar

Level 3
Level 3
2/18/18 7:06:31 PM

Hi All,

Am looking into options on how to configure SAML on our AEM instances, especially uploading truststore and keystore.

From the documentation, we understand that we can go to admin console and manually upload the certificates, but they are manual steps and biggest issue is the truststore alias is random number which is restricting us to put SAML config in source control.

Can you let us know if there is any other option to upload the truststore and keystore into AEM instances, say through CURL?

Also, is there a way to predefine the truststore alias key?

1422041_pastedImage_0.png

Note: Tried below solution but not working in 6.2

Providing TrustStore and KeyStore from content package

Views

3.0K

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 1
Level 1
3/8/18 3:11:31 PM

Hi Veera,

The only option I found so far to more predictably package the truststore is:
  1. create the truststore on one instance (manually)
  2. add the IDP certificate manually
  3. write down the certificate alias
  4. create the SAML config based on that alias
  5. create a package with /etc/key, /etc/truststore, /home/users/system/authentication-service

When you deploy this package on another instance it should have the same certificate ID in the new instance.

If you find a better/different way, let me known.

Regards,

Paul

View solution in original post

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 2
Level 2
2/18/18 9:33:14 PM

Hi Veena

The truststore alias is generated only once. You need to take it and add it in com.adobe.granite.auth.saml.SamlAuthenticationHandler.xml file against idpCertAlias property. You can then source control the xml file.

Please let me know if you need more information.

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
2/18/18 9:41:02 PM

Hi Prateek,

Thank you for your comments.

We are creating new instances for every release, so the concept of 'apply once' and 'stays forever' wont apply for us.

Looking into ways how we can create trust store (with predefined alias) through non-manual steps, so that we can put those steps as part of stack creation.

Cheers,

Veera

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
3/4/18 6:39:38 PM

Bumping up to the top again,

Any pointers pls?

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 1
Level 1
3/8/18 3:11:31 PM

Hi Veera,

The only option I found so far to more predictably package the truststore is:
  1. create the truststore on one instance (manually)
  2. add the IDP certificate manually
  3. write down the certificate alias
  4. create the SAML config based on that alias
  5. create a package with /etc/key, /etc/truststore, /home/users/system/authentication-service

When you deploy this package on another instance it should have the same certificate ID in the new instance.

If you find a better/different way, let me known.

Regards,

Paul

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply