AEM SAML Setup

One must provide the IdP team with the URL on the author dispatcher to redirect to after SSO is complete, typically is something like:
https://HOST-NAME/saml_login
IdP team will provide the following IdP information needed by AEM, possibly in a metadata.xml file.

1. IDP URL - the URL for AEM to use to reach the IdP for SSO
   
2. SP Identifier for the AEM instance
   
3. IdP’s public certificate
   
4. A certificate and private key for AEM and the IdP to share for encryption/signing - ​not currently being done
   on Production.
   

Configure AEM
1. Add IdP public cert to AEM truststore.

• ○  Go to: http://AEM-INSTANCE:4502/libs/granite/security/content/useradmin.html
  
• ○  Select any user because the TrustStore is global to AEM
  
• ○  Create trust store:
  

■ Click on ​Create TrustStore and supplying a password. (Don't forget to record this securely!)

• ○  Click on ​Manage TrustStore (​not KeyStore!!!!​)
  
• ○  Upload the IdP certificate given from the SAML IdP provider
  
  • Add certificate from CER file (i.e. a certificate) OR
    
  • Add certificate from keystore file
    
    1. Select the keystore file containing the certificate
       
    2. Enter the password protecting that keystore
       
    3. Enter the private key password - if any!
       
    4. Enter the alias of the private key
       
• ○  make note of the auto-generated certificate Alias
  
• ○  close the above pop-up window
  
• ○  Click on the ​Cancel button to get back to the user admin screen
  

2. Add SP key and certificate chain to AEM keystore (authentication-service) if using single signout or signing assertions
   
   • ○  Go to: http://AEM-HOST:4502/libs/granite/security/content/useradmin.html
     
   • ○  Select the ​authentication-service user
     
   • ○  Create KeyStore by supplying the password.
     
   • ○  If encrypting SAML assertions then click on Manage KeyStore for uploading the private & public key
     
   • ○  Add Private Key from keystore file
     
3. Configure the SAML authentication handler in the web console
   
   • ○  Go to: http://AEM-HOST:4502/system/console/configMgr
     
   • ○  Search for ​Adobe Granite SAML 2.0 Authentication Handler
     

Fill in the following fields:

• Path - the path to be protected with SAML: / Note that a trailing slash seems required.
  
• IDP URL: provided by the IdP
  
• IDP Certificate Alias: This was auto-generated in step 1 above.
  
• Service Provider Entity ID: Identifies the SP(AEM) to the IdP.
  
• SP Private Key Alias: Ignore for now. Must match the values used in step 2 above. I believe
  this is ​used to sign the SAMLRequest sent to the IdP.
  
• Password of Key Store: Must match the password of the keystore made in step 2 above.
  
• UserID Attribute: normally uid. This is the SAML attribute from the IdP that contains the
  user-id. 
  
• Use Encryption: Ignore for now. If no keys are in /etc/keys/saml, just logs an error message.
  
• Autocreate CRX users: uncheck. If not checked, the users must be manually created in AEM
  before they can actually log in to AEM.
  
• Add to Groups: check if one wants groups specified by the IdP automatically added to the
  user account created in AEM.
  
• Group membership: If the IdP is providing a list of groups for users, this is the SAML attribute
  containing the list. ​Note: the IdP must not specify the group ‘administrators’ in the list or the user’s login will fail! If it is in the list of groups, SAML auth fails and starts and endless loop of trying to authenticate against SAML.
  
• Default groups: on first login, the user will be added to any groups specified in this list. One can use both this and the Group membership fields. At a minimum, put the ​Contributers group seems to give the normal amount of access.
  
• NameIDPolicy Format: the default of urn:oasis:names:tc:SAML:2.0:nameid-format:transient seems to work
  
• Synchronized Attributes: for pulling other fields from SAML for the user’s AEM profile. The IDP must be setting the mail attribute of course! Current ones used :-
  ● emailAddress=profile/email
  ● firstName=profile/givenName ● lastName=profile/familyName
  
• Handle Logout and Logout URL: not in use in Production yet
  

4. Configure Referrer Filter
   
   • ○  Configure host at: http://AEM-HOST:4502/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter
     
   • ○  Set the following fields:
     
     • Allow Empty: check
       
     • Allow Hosts: add the IdP provider such as ​https://login.ext.test.com:443 (note if SSL based must append :443 as well as use https)
       
     • Click ​Save
       
5. Configure SAML log file
   
   • ○  Go to: ​Apache Sling Logging Logger Configuration
     
   • ○  Click on the plus sign
     
   • ○  Set the following fields:
     
     • Log Level: Debug
       
     • Log file: logs/saml.log
       
     • Logger: com.adobe.granite.auth.saml