Skip to main content

Adobe

Simple, Local SAML Integration With AEM + Gotchas

by on June 24th, 2019 | ~ minute read

Abstract Background Of Spheres And Wire Frame Landscape

If you’ve configured SAML with AEM and done a Google search on the matter, you’d have likely come across one of these lengthy examples: [1] [2] [3] [4] or looked at the Official AEM Doc for SAML integration. In this article, I’d like to show you 2 things:

  1. The fastest local SAML setup (which takes a couple of minutes). It might also be helpful for you to look at a working sample integration to test login behavior and other things quickly without necessarily understanding SAML or how it works.
  2. Some Gotchas from the Official AEM doc for SAML integration.

So let’s get to it!

The Fastest Local SAML Setup

(Github Repo)

For this, I’ve built a docker image with everything needed for the integration and documented the steps in the aem-saml Github repo.
If you follow the steps, it should take about 5 minutes to complete!
 

Gotchas from the Official AEM doc for SAML integration

Inspired Digital Experiences for Manufacturing and Automotive Lookbook Cover
Inspired Digital Experiences for Manufacturing & Automotive

Whether you’re just beginning your digital transformation journey or are well on your way, we invite you to explore our partnership with Adobe and our diverse capabilities in manufacturing and automotive.

Download Lookbook

Most notes below are for things that are NOT documented in the Official AEM Doc for SAML integration as of 06/24/2019. Adobe, if you’re seeing this, please update the docs.
 

Gotcha #1: Adding the IdP Certificate to the AEM TrustStore

From Adobe Docs for 6.5:That’s how you did that for AEM 6.3 and below.
For AEM 6.4+ this is should be done following my document here.

 

Gotcha #2: The Assertion Consumer Service URL

A good explanation of this URL can be found here.
Basically, this is the location on the Service Provider (in this case AEM) that accepts a SAML response. What Adobe does not tell you is that this location should be a URL ending with saml_login and should be provided to your IdP team to configure on their end. An example of this would be http://localhost:4502/content/saml_login or https://mycompany.com/content/saml/login.
Read more here, the section is titled: “The Path configuration and saml_login”
 

Gotcha #3: Add the Service Provider key and certificate chain to the AEM keystore

From Adobe Docs for 6.5:

This whole step is ONLY necessary if the SAML response is encrypted and is NOT related to the SAML certificate. This depends entirely on your IdP, if it does encrypt the SAML response, then ask your IdP team for the Private key and Certificate Chain. If your IdP does not encrypt SAML response, skip this step.
I will continue to update this list of gotchas as I think of more items.
That’s it for now! I wish you a painless AEM/SAML Integration

Tags

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ahmed Musallam, Adobe Technical Lead

Ahmed is an Adobe Technical Lead and expert in the Adobe Experience Cloud.

More from this Author

Categories
Follow Us