Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Where to get Service provider API key and chain certificate for SAML configuration with AEM?

Avatar

Community Advisor

Hi,

During the implementation of SAML config with AEM, I went through the official documentation but the part that ain't clear about Service provider private key and chain certificate. From where can we get it?
Is it going to be from AEM side or Okta?
Could you please provide clarification on it?

Best regards,
Himanshu Singhal

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@Himanshu_Singhal 

Private Key and Certificate chain is needed when SAML response is encrypted in which case, Okta should provide the private key and certificate chain. 

In AEM end, we should then,

  • Associate this private key and certificate to authentication-service-user
  • In SAML config,
    • SP private Key alias(after uploading to AEM per previous step) would go in this field named SP Private Key Alias
    • Use Encryption field should be checked. 

In brief, all the above is applicable/mandatory when Okta is sending encrypted SAML response. 

If encryption is not enabled, we can ignore this Debug message. 

View solution in original post

4 Replies

Avatar

Employee Advisor

Earlier I did SAML Authentication in AEM Using Microsoft Azure Active Directory, that time we had one separate team and they gave all these to AEM team.

 

That team was responsible to generate environment certificates like dev/QA/pre prod/prod, then users creation at AD level, configure attributes at AD level.

 

I hope I am able to answer your question.

 

 

Avatar

Community Advisor

Hi,

 

When we implemented OKTA for AEM, OKTA team provided us the details for below attributes

 

idpUrl

idpCertAlias

 

Below values are provided from AEM 

serviceProviderEntityId

synchronizeAttributes

idpHttpRedirect

defaultGroups

Avatar

Community Advisor

Following details already been provided. However, we haven't provided the private key and chain certificate in AEM.

When we try to login using Okta, we're running into following error:
28.03.2022 05:40:46.726 DEBUG [qtp635365079-49029] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

Is it mandatory to provide SP private key? If so, from where to get it?

Best regards,
Himanshu Singhal

Avatar

Correct answer by
Community Advisor

@Himanshu_Singhal 

Private Key and Certificate chain is needed when SAML response is encrypted in which case, Okta should provide the private key and certificate chain. 

In AEM end, we should then,

  • Associate this private key and certificate to authentication-service-user
  • In SAML config,
    • SP private Key alias(after uploading to AEM per previous step) would go in this field named SP Private Key Alias
    • Use Encryption field should be checked. 

In brief, all the above is applicable/mandatory when Okta is sending encrypted SAML response. 

If encryption is not enabled, we can ignore this Debug message.