Tuesday, November 11, 2014

How to configure SAML SSO for Adobe CQ5

Configuring SAML SSO for Adobe CQ5

Configure Apache Referrer Filter:

Navigate to the web console: http://HOST:4502/system/console/configMgr

Expand Apache Sling Referrer Filter

Add the SAML SSO server host name to the Allowed Hosts section (depending on the authoring environment you are configuring), Check the Allow Empty checkbox and Click Save.

Configure Adobe Granite SAML 2.0 Authentication Handler:

Configured the required details for authentication

    Service Ranking
    IDP HTTP Redirect
    Unchecked - Use an HTTP Redirect to the IDP URL instead of sending an AuthnRequest-message to request credential
    Service Provider Entity ID
    Default Redirect
    User ID Attribute
    UserID - The name of the attribute containing the user ID used to authenticate and create the user in the CRX repository
    Use Encryption
    Unchecked - Whether or not this authentication handler expects encrypted SAML assertions
    Autocreate CRX Users
    Unchecked - Whether or not to autocreate nonexisting users in the repository
    Add to Groups
    Unchecked - Whether or not a user should be autmatically added to CRX groups after successful authentication
    Group Membership
    <empty--no value> - The name of the attribute containing a list of CRX groups this user should be added to
    NameIDPolicy Format
    urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified - The value of the NameIDPolicy format parameter to send in the AuthnRequest message.

Click Save

Add the SAML certificate:

Log into the Authoring server using ssh .
Create a file called /tmp/idp.pem on the Authoring server, and paste the contents of certificate into the file. Save the file.

Run this command to push the certificate into AEM, replacing PASSWORD with the admin password:
curl -u admin:PASSWORD -F idp_cert=\<idp.pem -F idp_cert@TypeHint=Binary http://localhost:4502/etc/key/saml

Browse to the AEM server (http://HOST:4502/)and you should be redirected to SSO server for authentication and send to AEM screen upon successful authentication(http://HOST:4502/)).

No comments:

Post a Comment