Objective: To create a Single Sign-On platform for web applications developed through AEM.
The entire blog is divided into three parts:
Part I: Pre-installation: To make the user familiar with the technologies used and the underlying architecture.
Part II: Installation: The next part, i.e., part II of the blog provides a step by step installation guide.
Part III: Configuration: Part III lists the basic configurations that need to be done to integrate all the entities.
Part III: Post-Installation: The last part, i.e., part IV of the blog provides post-installation guidance and description of major challenges faced during the integration.
Part I: PRE-INSTALLATION
Entities involved:
Shibboleth(Idp): Shibboleth is an open-source project that provides Single Sign-On capabilities
Open-DS: OpenDS Software implements a wide range of Lightweight Directory Access Protocol (LDAP) and related standards.
Tomcat Server: To host the shibboleth application.
AEM: Adobe Experience Manager, where the application is deployed
Technology/Standard/Protocols
- Security Assertion Markup Language (SAML) is an XML standard that allows an online service provider to contact a separate online identity provider to authenticate users who are trying to access secure content.
- The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack.
Underlying Architecture:
II. INSTALLATION
1.1 Install OpenDS-2.3.0-build003
Launch control panel and Configure user id and password and business group
1.2 Install Shibboleth IDP (shibboleth-identityprovider-2.4.0-bin)
Unzip the provided binary and run install.bat
1.3 Install tomcat (specifically apache-tomcat-6.0.37-windows-x64.zip)
2. Configure Tomcat
2.1. Create an SSL self-signed certificate
Run the following commands:
Openssl genrsa –des3 –out tomcatkey.pem 2048
Openssl req –new –x509 –key tomcatkey.pem –out tomcatcert.pem –days 1095
openssl pkcs8 -topk8 -inform PEM -outform DER -in idp.key -nocrypt > pkcs8.key
When you are asked for password, Put Your name everywhere for simplification
2.2. Apply the certificate to apache-tomcat-6.0.45/conf/server.xml.
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false”
sslProtocol=”TLS” SSLEngine=”on”
III. CONFIGURATIONS
Configure Shibboleth IDP
3.1 Open attribute-filter.xml and add the following tags:
<afp:AttributeRule attributeID=”uid”>
<afp:PermitValueRule xsi:type=”basic:ANY” />
</afp:AttributeRule>
<afp:AttributeRule attributeID=”group”>
<afp:PermitValueRule xsi:type=”basic:ANY” />
</afp:AttributeRule>
<afp:AttributeRule attributeID=”mail”>
<afp:PermitValueRule xsi:type=”basic:ANY” />
</afp:AttributeRule>
3.2 Open attribute-resolver.xml and configure in the following way:
Uncomment attribute definition tags with id : uid, group and mail.
Add LDAP credentials in the data connector tag:
<resolver:DataConnector id=”myLDAP” xsi:type=”dc:LDAPDirectory”
ldapURL=”ldap://localhost:389″
baseDN=”ou=People,dc=example,dc=com”
principal=”cn=Directory Manager”
principalCredential=”YOUR PASSWORD”>
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
3.3 Open handler.xml and uncomment UserNamePassword Login handler and comment RemoteUser login handler
3.4 Open login.config and add the following entries for LDAP configuration
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl=”ldap://localhost:389″
baseDn=”ou=People,dc=example,dc=com”
bindDn =”cn=Directory Manager”
bindCredential=”YOUR PASSWORD”
ssl=”false”
tls=”false”
userField=”uid”
userFilter=”uid={0}”;
};
3.5 Open relying-party.xml and add the following tags:
<rp:RelyingParty id=”tavant.com”
provider=”tavant.com”
defaultSigningCredentialRef=”IdPCredential”
defaultAuthenticationMethod =”urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”>
<rp:ProfileConfiguration xsi:type=”saml:SAML2SSOProfile” includeAttributeStatement=”true”
assertionLifetime=”PT5M” assertionProxyCount=”0″
signResponses=”never” signAssertions=”always”
encryptAssertions=”never” encryptNameIds=”never”
includeConditionsNotBefore=”true”/>
<rp:ProfileConfiguration xsi:type=”saml:SAML2ArtifactResolutionProfile”
signResponses=”never” signAssertions=”always”
encryptAssertions=”never” encryptNameIds=”never”/>
<rp:ProfileConfiguration xsi:type=”saml:SAML2LogoutRequestProfile” signResponses=”conditional”/>
</rp:RelyingParty>
Add the following tag under the metadata tag:
This is for further linking to AEM which we’ll discuss later.
<metadata:MetadataProvider xsi:type=”metadata:FilesystemMetadataProvider” xmlns=”urn:mace:shibboleth:2.0:metadata”
id=”AdobeCQ”
metadataFile=”c:\saml_idp/metadata/adobecq.xml”/>
3.6 Open saml_idp\metadata\idp-metadata.xml
Replace the certificate with the value present in saml_idp\credentials\idp.cert
4 Configure AEM
4.1 Create a new file adobecq.xml under saml_idp\metadata with the following text:
<md:EntityDescriptor xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata” xmlns:ds=”www.w3.org/2000/09/xmldsig#” entityID=”tavant.com”>
<md:SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol”>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds=”www.w3.org/2000/09/xmldsig#” Id=”SPInfo”>
<ds:X509Data>
<ds:X509Certificate>
Put your certificate value here
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”localhost:4502/saml_login” index=”1″/>
<md:SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”tavant.com:8443/idp/Authn/UserPassword”/>
</md:SPSSODescriptor></md:EntityDescriptor>
4.2 Under /etc/key in the repository, create a node called “saml”. Inside this node, add a new binary property called “idp_cert” of “BINARY” type for the public certificate of the IdP. That is, upload the file from C:/saml_idp/credentials/idp.crt.
4.3 Add a new binary property called “private” of “BINARY” type containing key for public certificate of the metadata (adobecq.xml) file. That is, upload the file: C:\saml_idp\credentials\pkcs8.key
4.4 Open localhost:4502/system/console/configMgr ->Adobe Granite SAML 2.0 Authentication Handler
4.5 Now open Apache Sling Referrer Filter in the same console and configure it likewise.
SSLCertificateFile=” C:\demo\appserver\apache-tomcat-6.0.45 /tomcatcert.pem”
SSLCertificateKeyFile=” C:\demo\appserver\apache-tomcat-6.0.45 /tomcatkey.pem”
SSLPassword=”<Your password>” />
2.3 Copy “idp.war” from saml_idp/war/idp.war to apache-tomcat-6.0.45/webapps
2.4 Create the directory apache-tomcat-6.0.45 \endorsed and copy the .jar files included in the IdP source endorsed directory into the newly created directory.
Hit localhost:8443/idp/profile/Status, it should return OK.
IV. POST INSTALLATION
Configure domain name
Open C:\Windows\System32\drivers\etc\hosts
Add the following entries:
0.0.0.0 tavant.com
127.0.0.1 tavant.com localhost
Make a request to AEM at http://<host>:<port>/, it would redirect to this login page:
Login with the user name and password that you configured in Open DS
Successful login will take you to the AEM home page.
If you want to get the details of the user, its login session, login/expiry time, you can create a filter/servlet.
One of the biggest challenges was to capture the SAML response since it always got redirected.
Therefore, login time and expiry time could be picked from the user node that’s under “home/users” and user configured through Open DS is throughout referenced as remote user in AEM.
Major Issues faced while integration:
> Troubles in integration/interaction of software.
— Get the right combination of software versions.
— Incorrect LDAP URL, user name and password in configuration files
> Deployment of Shibboleth war at Tomcat.
— Corrected by taking care of jar files
> Right permissions for the user group in AEM configuration.
> Unavailability of required SAML jars at run time
— Create a bundle of those jar files using bnd.jar and upload the bundle in felix to remove this error.
> Problem in fetching SAML Response in AEM from Idp since the response got forwarded always
Used CRX node structure to fetch the response.
