Skip to content
/ aem-saml Public

A Sample IDP with SAML integration and tutorial for AEM

License

MIT license
10 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ahmed-musallam/aem-saml

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
config
config
 
 
doc
doc
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build-and-run.sh
build-and-run.sh
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

AEM SAML SETUP

HEAVILY based on https://github.com/kristophjunge/docker-test-saml-idp

This is the fastest working SAML setup! It will help you setup SAML locally with AEM and start playing with it right away. Should take about 5 minutes to complete!

Usage

Install Docker

Test the installation by running docker version, you should get something like:

Docker version 18.09.2, build 6247962

Running the IDP container:

Clone this repo, then cd into the repo directory and run:

on Mac

./build-and-run.sh

or on Windows

docker build -t "saml-aem" -f "Dockerfile" .
docker run -p 8080:8080 saml-aem

Wait for the docker image to build and the container to start. You should now be able to navigate to http://localhost:8080/simplesaml

Configuring AEM

Get the Certificate File from the IdP

With the IdP docker container running, navigate to the IDP metadata page: http://localhost:8080/simplesaml/saml2/idp/metadata.php?output=xhtml and download the idp.crt file.

This cert file is typically provided by the IdP managers for you to add to AEM's trust store.

test

Add the idp.crt to the trust store

AEM 6.3 (and below), follow: https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/saml-2-0-authenticationhandler.html#AddtheIdPCertificatetotheAEMTrustStore In AEM, you need to configure SAML

for AEM 6.4+

  1. Navigate to Tools > Security > Trust Store trust store
  2. Click Create TrustStore and set a password (I set it to password for this demo)
  3. upload the idp.crt file, lookup "Administrator" and click submit trust store
  4. Copy the trust store alias trust store

SAML OSGI Config

You have two options to do the OSGI config

Option 1 - Manually
  • go to OSGI console http://localhost:4502/system/console/configMgr
  • search for Adobe Granite SAML 2.0 Authentication Handler. Or use the direct link http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler
  • Configure as follows: trust store
  • make sure that you use the Trust Store Alias you copied from above step
Option 2 - CURL

I've made a convenient CURL command to do the manual step above, automatically. Be sure to change the idpCertAlias to the Trust Store Alias you copied from above step.

curl -u admin:admin -X POST \
-d "apply=true" \
-d "propertylist=path,service.ranking,idpUrl,idpCertAlias,idpHttpRedirect,serviceProviderEntityId,assertionConsumerServiceURL,spPrivateKeyAlias,keyStorePassword,defaultRedirectUrl,userIDAttribute,useEncryption,createUser,userIntermediatePath,addGroupMemberships,groupMembershipAttribute,defaultGroups,nameIdFormat,synchronizeAttributes,handleLogout,logoutUrl,clockTolerance,digestMethod,signatureMethod,identitySyncType,idpIdentifier" \
-d "path=/" \
-d "service.ranking=5002" \
-d "idpUrl=http://localhost:8080/simplesaml/saml2/idp/SSOService.php" \
-d "idpCertAlias=admin#1560185209235" \
-d "idpHttpRedirect=false" \
-d "serviceProviderEntityId=aem-sample-sp" \
-d "assertionConsumerServiceURL=" \
-d "spPrivateKeyAlias=" \
-d "keyStorePassword=unmodified" \
-d "defaultRedirectUrl=/" \
-d "userIDAttribute=uid" \
-d "useEncryption=false" \
-d "createUser=true" \
-d "userIntermediatePath=saml-users" \
-d "addGroupMemberships=true" \
-d "groupMembershipAttribute=groups"  \
-d "defaultGroups=content-authors" \
-d "nameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient" \
-d "synchronizeAttributes=firstName=profile/givenName" \
-d "synchronizeAttributes=lastName=profile/familyName" \
-d "synchronizeAttributes=email=profile/email" \
-d "handleLogout=true" \
-d "logoutUrl=http://localhost:8080/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp" \
-d "clockTolerance=60" \
-d "digestMethod=http://www.w3.org/2001/04/xmlenc#sha256" \
-d "signatureMethod=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" \
-d "identitySyncType=default" \
-d "idpIdentifier=" \
http://localhost:4502/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler

Sling Referrer Configuration

  • go to OSGI console http://localhost:4502/system/console/configMgr
  • search for Apache Sling Referrer Filter. Or use the direct link http://localhost:4502/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter
  • Configure as follows: trust store

This will ensure that SAML post requests from localhost will make it through to AEM.

in a production setup, you'll need to add the host of your IdP. for example, if your IdP is at the host idp.mycompany.com that is the host you need to add to the allow field. In our case, the IdP is at localhost.

Default IDP Users

There are three static users configured in the IdP, see them in this file: config/simplesamlphp/authsources.php. You can add/edit users, kill the container and run commands above.

Testing

go to http://localhost:4502, you should be redirected to the login page to enter a user/pass, take a look at the users in the file: config/simplesamlphp/authsources.php. try user1:user1 and you should be able to login.

About

A Sample IDP with SAML integration and tutorial for AEM

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages