Introduction to SAML
SAML is a data format which is used to exchange authenticationand authorization information between different systems. Multiplecontributors are intacts to perform authentication and eachcontributor plays its own role for authentication.
- IdP - IdP stands for identity assentation providerwhich is responsible for providing identifier of the user looking tointeract with the system. Apart from the authentication it assertsthe system that the user is known to them. System may also providethe information pertain to the user profile. You must have seen thatFacebook and Google are also plays role of IDP.
- User Database - User database maintains keeps allthe information of users and IdP interacts with it to authenticatethe user and extract the user information.
- Service provider - Service provider refers to anysystem or entity which is intended to provide the service and hidingall the complexity and details behind. User or system can interactwith the service once it proves its authentication. However this is adifferent story that what part of the system he is authorized tointeract.
So, what process these contributors areadopting to setup a SSO (Single sign on) authentication process
- User requests SP for login.
- SP responds with the redirect request to IdP.
- Browser goes to IdP where user logs in.
- IdP responds with SAML token and redirect back to the SP.
- Browser goes to SP with SAML token and telling that it hasbeen authenticated.
- Service provider communicates with the IDP and verifying thatSAML token.
- IdP tells SP that yeah, user has been authenticated.
- SP responds the browser with welcome page.
Prerequsite
Identification provider (IdP) : Assuming that the IdP server isin place and configured with the User DB. IdP server should beconfigured with the certificates so that service provider cancommunicate securely.
Steps to configure SAML with AEM :
Following steps need to be performed for successful configurationwith IdP.
- Register service provider (SP) with the Identityprovider (IdP) : Service provider should be registered with IdP,so that IdP can recognize the authentication request by Serviceprovider. IdP require the information in the form of metadata. Here isthe sample of the metadata which IdP would require. You need toprovide this information to the team managing IdP.
<md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"entityID="http://localhost:4503/">
<md:SPSSODescriptorprotocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat/>
<md:AssertionConsumerServiceBinding ="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="http://localhost:4503/saml_login "index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>- Above mentioned IdP metadata provides thefollowing information.
- Service provider entity Id : Everyservice provider needs to be uniquely identified by the IDP. IDPregisters the SP with the Entity Id. Later with the help of thisinformation IDP identifies that the requested SP.
- Redirect URL of service provider (SP): On authentication, IdP POSTs SAML response to this providedURL. This redirect URL should be written in a specific pattern, URLshould be followed by /saml_login. Eg. of redirect URL ishttp://localhost:4502/saml_login.
- Configure AEM with the Identificationprovider (IdP) information :To communicate through secured channel, IdPcertificate needs to be installed in AEM. You need to perform the following steps to in import certificate.For AEM 6.0
- Create the folder structure within “etc” in AEM- \/etc\/key\/saml
- Certificate upload can be executed through both GUI and curl.
Using curl commandcurl -u admin:admin -F idp_cert=<path toIdP Cert>\\<idp.cert> -F idp_cert@TypeHint=Binaryhttp://localhost:4503/etc/key/samlUsing Crx-deDouble click on “idp_cert”, as given in the diagram. Adialog box will appear to browse the certificate.![Idp cert]()
Fig1. - IDP cert properties Browse the certificate then click OK.![Idp cert browse]()
Fig2. - IDP cert For AEM 6.1- Add IdP public cert to AEM truststore
- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Select any user because TrustStore is global to AEM
- Create trust store by supplying the password & then manage trust store
- Upload the IdP certificate & make note of the certificate Alias
- Add SP key and certificate chain to AEM keystore (authentication-service)
- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Select authentication-service
- Create KeyStore by supplying the password
- If encrypting SAML assertions then go to manage KeyStore for uploading the private & public key
- Configure the SAML authentication handler in the web console
- Go to: http://localhost:4502/system/console/configMgr
- Search for Adobe Granite SAML 2.0 Authentication Handler
- Add a new handler configuration and alias here should match with step1.
- Configure Adobe Granite SAML 2.0 authentication handlerSAML can be configured through Felix console but it is advisable to configure through runmodes, so that reconfiguration is not required for different environment.
SAML Configuration attributes :
- Path :- Path where authentication handler to be applied.
- Path :- Path where authentication handler to be applied.
- IDP-Url : - IDP url where authentication request should be redirected.
- Service provider entity id :- This is the same Id which is shared with the IdP for the uniquely identification of service provider e.g. https://www.example.com.
- Default redirect: - URL where IdP should be redirected after This is useful if autocreate of the user is enabled. It gets the user from SAML attributes and if user does not exist then user gets created.
- User Id:- URL where IdP should be redirected after successful login.
- Group membership:- Name of the group to which user should belong to. Group should be available as a part of SAML attribute.
- Synchronized attributes:- List of attributes should be synchronized with the attributes available in SAML response.
- Logout URL:- Logout Url of the IdP, where logout request should be redirected from SP./li>
![SAML Configuration attributes]()
Fig3. - SAML Configuration attributes. - Configure Apache sling referrer filterAs we know that on successful authentication IdP redirects to the SP and posts SAML response. So, IdP URL must be added as Sling referrer. In absence of it you may encounter with the (403 Forbidden error).As we know that on successful authentication IdP redirects to the SP and posts SAML response. So, IdP URL must be added as Sling referrer. In absence of it you may encounter with the (403 Forbidden error).
![Apache sling referrer filter configuration.]()
Fig4. - Apache sling referrer filter configuration. - SAML debnugingSaml log is important to identify how it is doing at the AEM end. SAML Trace FF plugin:- As we know that SAML is browser driven not the server, so it becomes very important to trace at client end. It can also help to trace SAML request and response.If users are not yet synchronize with IdP, and you are expecting that the user should be created with SAML response as AEM is already configured. So, in this case you must check the SAML response and verify that the SAML response must have user attributes.
