Configure SSO on AEM instance: AEM- Shibboleth integration

Objective: To create a Single Sign-On platform for web applications developed through AEM.

The entire blog is divided into three parts:

Part I: Pre-installation: To make the user familiar with the technologies used and the underlying architecture.

Part II: Installation: The next part, i.e., part II of the blog provides a step by step installation guide.

Part III: Configuration: Part III lists the basic configurations that need to be done to integrate all the entities.

Part III: Post-Installation: The last part, i.e., part IV of the blog provides post-installation guidance and description of major challenges faced during the integration.


Entities involved:

Shibboleth(Idp): Shibboleth is an open-source project that provides Single Sign-On capabilities

Open-DS: OpenDS Software implements a wide range of Lightweight Directory Access Protocol (LDAP) and related standards.

Tomcat Server:  To host the shibboleth application.

AEM:  Adobe Experience Manager, where the application is deployed


  • Security Assertion Markup Language (SAML) is an XML standard that allows an online service provider to contact a separate online identity provider to authenticate users who are trying to access secure content.
  • The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack.

Underlying Architecture:


1.1  Install OpenDS-2.3.0-build003

Launch control panel and Configure user id and password and business group

1.2  Install Shibboleth IDP (shibboleth-identityprovider-2.4.0-bin)

Unzip the provided binary and run install.bat

1.3 Install tomcat (specifically

2. Configure Tomcat

2.1. Create an SSL self-signed certificate

Run the following commands:

Openssl genrsa –des3 –out tomcatkey.pem 2048

Openssl req –new –x509 –key tomcatkey.pem –out tomcatcert.pem –days 1095

openssl pkcs8 -topk8 -inform PEM -outform DER -in idp.key  -nocrypt > pkcs8.key

When you are asked for password, Put Your name everywhere for simplification

2.2.  Apply the certificate to  apache-tomcat-6.0.45/conf/server.xml.

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false”

sslProtocol=”TLS” SSLEngine=”on”


Configure Shibboleth IDP

3.1  Open attribute-filter.xml and add the following tags:

<afp:AttributeRule attributeID=”uid”>

<afp:PermitValueRule xsi:type=”basic:ANY” />



<afp:AttributeRule attributeID=”group”>

<afp:PermitValueRule xsi:type=”basic:ANY” />



<afp:AttributeRule attributeID=”mail”>

<afp:PermitValueRule xsi:type=”basic:ANY” />



3.2 Open attribute-resolver.xml and configure in the following way:

Uncomment attribute definition tags with id : uid, group and mail.

Add LDAP credentials in the data connector tag:

<resolver:DataConnector id=”myLDAP” xsi:type=”dc:LDAPDirectory”



principal=”cn=Directory Manager”

principalCredential=”YOUR PASSWORD”>








3.3  Open handler.xml and uncomment UserNamePassword Login handler and comment RemoteUser login handler

3.4  Open login.config and add the following entries for LDAP configuration

ShibUserPassAuth {

edu.vt.middleware.ldap.jaas.LdapLoginModule required



bindDn =”cn=Directory Manager”

bindCredential=”YOUR PASSWORD”






3.5  Open relying-party.xml and add the following tags:

<rp:RelyingParty id=””



defaultAuthenticationMethod =”urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”>

<rp:ProfileConfiguration xsi:type=”saml:SAML2SSOProfile” includeAttributeStatement=”true”

assertionLifetime=”PT5M” assertionProxyCount=”0″

signResponses=”never” signAssertions=”always”

encryptAssertions=”never” encryptNameIds=”never”


<rp:ProfileConfiguration xsi:type=”saml:SAML2ArtifactResolutionProfile”

signResponses=”never” signAssertions=”always”

encryptAssertions=”never” encryptNameIds=”never”/>

<rp:ProfileConfiguration xsi:type=”saml:SAML2LogoutRequestProfile” signResponses=”conditional”/>


Add the following tag under the metadata tag:

This is for further linking to AEM which we’ll discuss later.

<metadata:MetadataProvider xsi:type=”metadata:FilesystemMetadataProvider” xmlns=”urn:mace:shibboleth:2.0:metadata”




3.6 Open saml_idp\metadata\idp-metadata.xml

Replace the certificate with the value present in saml_idp\credentials\idp.cert

Configure AEM

4.1     Create a new file adobecq.xml under saml_idp\metadata with the following text:

<md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” xmlns:ds=”” entityID=””>

<md:SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol”>


<ds:KeyInfo xmlns:ds=”” Id=”SPInfo”>



Put your certificate value here





<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”localhost:4502/saml_login” index=”1″/>

<md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=””/>



4.2  Under /etc/key in the repository, create a node called “saml”. Inside this node, add a new binary property called  “idp_cert” of “BINARY” type for the public certificate of the IdP.  That is, upload the file from C:/saml_idp/credentials/idp.crt.

4.3  Add a new binary property called “private” of “BINARY” type containing key for public certificate of the metadata (adobecq.xml) file.  That is, upload the file: C:\saml_idp\credentials\pkcs8.key

4.4  Open localhost:4502/system/console/configMgr ->Adobe Granite SAML 2.0 Authentication Handler


4.5 Now open Apache Sling Referrer Filter in the same console and configure it likewise.


SSLCertificateFile=” C:\demo\appserver\apache-tomcat-6.0.45 /tomcatcert.pem”

SSLCertificateKeyFile=” C:\demo\appserver\apache-tomcat-6.0.45 /tomcatkey.pem”

SSLPassword=”<Your password>” />

2.3 Copy “idp.war” from saml_idp/war/idp.war to apache-tomcat-6.0.45/webapps

2.4 Create the directory  apache-tomcat-6.0.45 \endorsed and copy the .jar files included in the IdP source endorsed directory into the newly created directory.

Hit  localhost:8443/idp/profile/Status, it should return OK.


Configure domain name

Open C:\Windows\System32\drivers\etc\hosts

Add the following entries: localhost

Make a request to AEM at http://<host>:<port>/, it would redirect to this login page:

Login with the user name and password that you configured in Open DS

Successful login will take you to the AEM home page.

If you want to get the details of the user, its login session, login/expiry time, you can create a filter/servlet.

One of the biggest challenges was to capture the SAML response since it always got redirected.

Therefore, login time and expiry time could be picked from the user node that’s under “home/users” and user configured through Open DS is throughout referenced as remote user in AEM.

Major Issues faced while integration:

>       Troubles in integration/interaction of software.

—    Get the right combination of software versions.

—    Incorrect LDAP URL, user name and password in configuration files

>       Deployment of Shibboleth war at Tomcat.

—    Corrected by taking care of jar files

>       Right permissions for the user group in AEM configuration.

>       Unavailability of required SAML jars at run time

—    Create a bundle of those jar files using bnd.jar and upload the bundle in felix to remove this error.

>       Problem in fetching SAML Response in AEM from Idp since the response got forwarded always

Used CRX node structure to fetch the response.

Tags :

Related insights

  • All Posts
  • Article
  • Awards & Recognition
  • Blog
  • Brochures
  • Case Studies
  • Fintech
  • Insights
  • News
  • Stories
  • Testimonials
  • Uncategorized
  • Whitepaper
  • All Posts
  • Article
  • Awards & Recognition
  • Blog
  • Brochures
  • Case Studies
  • Fintech
  • Insights
  • News
  • Stories
  • Testimonials
  • Uncategorized
  • Whitepaper

Let’s create new possibilities with technology