Expand my Community achievements bar.

SOLVED

Where to get Service provider API key and chain certificate for SAML configuration with AEM?

Avatar

Community Advisor
Community Advisor
3/25/22 11:41:12 AM

Hi,

During the implementation of SAML config with AEM, I went through the official documentation but the part that ain't clear about Service provider private key and chain certificate. From where can we get it?
Is it going to be from AEM side or Okta?
Could you please provide clarification on it?

Best regards,
Himanshu Singhal

Views

984

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
3/28/22 7:17:15 AM
In response to Himanshu_Singhal

@Himanshu_Singhal 

Private Key and Certificate chain is needed when SAML response is encrypted in which case, Okta should provide the private key and certificate chain. 

In AEM end, we should then,

  • Associate this private key and certificate to authentication-service-user
  • In SAML config,
    • SP private Key alias(after uploading to AEM per previous step) would go in this field named SP Private Key Alias
    • Use Encryption field should be checked. 

In brief, all the above is applicable/mandatory when Okta is sending encrypted SAML response. 

If encryption is not enabled, we can ignore this Debug message. 

View solution in original post

Views

921

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Employee Advisor
Employee Advisor
3/25/22 9:38:03 PM

Earlier I did SAML Authentication in AEM Using Microsoft Azure Active Directory, that time we had one separate team and they gave all these to AEM team.

 

That team was responsible to generate environment certificates like dev/QA/pre prod/prod, then users creation at AD level, configure attributes at AD level.

 

I hope I am able to answer your question.

 

 

Views

947

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
3/27/22 6:42:03 PM

Hi,

 

When we implemented OKTA for AEM, OKTA team provided us the details for below attributes

 

idpUrl

idpCertAlias

 

Below values are provided from AEM 

serviceProviderEntityId

synchronizeAttributes

idpHttpRedirect

defaultGroups

Views

934

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
3/27/22 11:12:11 PM
In response to Ravi_Pampana

Following details already been provided. However, we haven't provided the private key and chain certificate in AEM.

When we try to login using Okta, we're running into following error:
28.03.2022 05:40:46.726 DEBUG [qtp635365079-49029] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

Is it mandatory to provide SP private key? If so, from where to get it?

Best regards,
Himanshu Singhal

Views

925

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
3/28/22 7:17:15 AM
In response to Himanshu_Singhal

@Himanshu_Singhal 

Private Key and Certificate chain is needed when SAML response is encrypted in which case, Okta should provide the private key and certificate chain. 

In AEM end, we should then,

  • Associate this private key and certificate to authentication-service-user
  • In SAML config,
    • SP private Key alias(after uploading to AEM per previous step) would go in this field named SP Private Key Alias
    • Use Encryption field should be checked. 

In brief, all the above is applicable/mandatory when Okta is sending encrypted SAML response. 

If encryption is not enabled, we can ignore this Debug message. 

Views

922

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Question Out of curiosity!! A asset upload in the AEM publish instance.

Views

48

Likes

0

Replies

2
Multifield Rollout in AEM 6.5.20.0 on-prem

Views

52

Likes

0

Replies

1
How to migrate JTW to OAuth2 and use it in the Jenkins pipeline?

Views

77

Likes

0

Replies

3
I have a component based on show-hide in AEM. can any one help on this

Views

98

Likes

0

Replies

5
Regarding User Roles and Permissions API of Adobe commerce

Views

58

Likes

0

Replies

2