Where to get Service provider API key and chain certificate for SAML configuration with AEM? | Community
Skip to main content
Himanshu_Singhal
Community Advisor
Himanshu_SinghalCommunity Advisor
Community Advisor
March 25, 2022
Solved

Where to get Service provider API key and chain certificate for SAML configuration with AEM?

  • March 25, 2022
  • 2 replies
  • 1412 views

Hi,

During the implementation of SAML config with AEM, I went through the official documentation but the part that ain't clear about Service provider private key and chain certificate. From where can we get it?
Is it going to be from AEM side or Okta?
Could you please provide clarification on it?

Best regards,
Himanshu Singhal

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Vijayalakshmi_S

@himanshu_singhal 

Private Key and Certificate chain is needed when SAML response is encrypted in which case, Okta should provide the private key and certificate chain. 

In AEM end, we should then,

  • Associate this private key and certificate to authentication-service-user
  • In SAML config,
    • SP private Key alias(after uploading to AEM per previous step) would go in this field named SP Private Key Alias
    • Use Encryption field should be checked. 

In brief, all the above is applicable/mandatory when Okta is sending encrypted SAML response. 

If encryption is not enabled, we can ignore this Debug message. 

2 replies

DEBAL_DAS
DEBAL_DAS
New Member
March 26, 2022

Earlier I did SAML Authentication in AEM Using Microsoft Azure Active Directory, that time we had one separate team and they gave all these to AEM team.

 

That team was responsible to generate environment certificates like dev/QA/pre prod/prod, then users creation at AD level, configure attributes at AD level.

 

I hope I am able to answer your question.

 

 

Debal Das, Senior AEM Consultant
    Ravi_Pampana
    Community Advisor
    Ravi_PampanaCommunity Advisor
    Community Advisor
    March 28, 2022

    Hi,

     

    When we implemented OKTA for AEM, OKTA team provided us the details for below attributes

     

    idpUrl

    idpCertAlias

     

    Below values are provided from AEM 

    serviceProviderEntityId

    synchronizeAttributes

    idpHttpRedirect

    defaultGroups

      Himanshu_Singhal
      Community Advisor
      Himanshu_SinghalCommunity AdvisorAuthor
      Community Advisor
      March 28, 2022

      Following details already been provided. However, we haven't provided the private key and chain certificate in AEM.

      When we try to login using Okta, we're running into following error:
      28.03.2022 05:40:46.726 DEBUG [qtp635365079-49029] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

      Is it mandatory to provide SP private key? If so, from where to get it?

      Best regards,
      Himanshu Singhal

        Vijayalakshmi_S
        Vijayalakshmi_SAccepted solution
        Level 10
        March 28, 2022

        @himanshu_singhal 

        Private Key and Certificate chain is needed when SAML response is encrypted in which case, Okta should provide the private key and certificate chain. 

        In AEM end, we should then,

        • Associate this private key and certificate to authentication-service-user
        • In SAML config,
          • SP private Key alias(after uploading to AEM per previous step) would go in this field named SP Private Key Alias
          • Use Encryption field should be checked. 

        In brief, all the above is applicable/mandatory when Okta is sending encrypted SAML response. 

        If encryption is not enabled, we can ignore this Debug message. 

          Terms & ConditionsAccessibility statement

          Loading footer...