Configuring AEM for Single Sign On (SSO) via Microsoft Azure AD
Introduction
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
SAML can be used to perform SSO authentication and authorization using Active Directory, OKTA etc. systems.
Brief about AEM and SAML
Adobe Experience Manager has inbuilt support to use SAML based authentication mechanism. It has the option of creating users in it, if required, and assigning them to a group for permissions related stuff after receiving the details from the “App Federation Metadata URL”.
Adobe Solution:
AEM 6.4-6.5
Installation:
JDK 1.8, AEM 6.4–6.5 author/publish/both
Azure Prerequisites:
Azure AD SAML Signing Certificate, Azure AD Login URL, Azure AD Logout URL, Azure AD Identifier (Entity ID), App Federation Metadata URL
AEM Prerequisites:
AEM enabled over SSL using TLS1.1 or above
Note:
We are enabling SAML based SSO authentication on We Retail website.
How It Works
Sign-up for Free Azure Account
You can create a free azure account Azure Account .
Creating Azure App
Navigate to Azure portal.
On the home screen Click on Azure Active Directory icon.
Select Enterprise application inside
2.4. In the search box, type Adobe Experience Manager, select Adobe Experience Manager from result panel then click Add button to add the application.
Click on create to create AEM application in Azure AD for SSO.
Useful link for Configuring Azure AEM Application
After creating application you will see following options on dashboard.By default name, application id and object id has been generated.
Click on set up single sign on “Get Started link”
Click on SAML configuration
Enter Basic SAML configuration
Click on edit
- In the Identifier text box, type a unique value that you define on your AEM server as well.
- In the Reply URL text box, type a URL using the following pattern: https://<AEM Server Url>/saml_login
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
On the Set up Adobe Experience Manager section, copy the appropriate URL(s) as per your requirement.
- Login URL
2. Azure AD Identifier
3. Logout URL
Go to AEM Application created in earlier steps. On left side navigation select Users and groups.
Click on Add user/group button to add a new user
Search and select user and save it as shown below
Initialising Key Store (If not already done):
Go to Authentication Service User.
Initialise the key store by clicking on “Create KeyStore” as shown below.
Save the password for future use.
Installing Azure AD SAML Signing Certificate in AEM:
AEM 6.4–6.5 Author/Publish:
Open the Global Trust Store.
Click on “Add Certificate from CER file” and upload the certificate. Make sure to keep the “Map Certificate to User” text box as empty.
Copy the Alias name. This will be used later.
SAML Authentication Handler:
Here we will configure the “SAML Authentication Handler” configuration using the details from Microsoft Azure AD and the certificate Alias. Inside Config Manager, navigate to “Adobe Granite SAML 2.0 Authentication Handler” and configure the following properties:
Go to http://localhost:4502/system/console/configMgr and search for Adobe Granite SAML 2.0 Authentication Handler
- Paths — Since we are using the “We Retail” demo site for this blog, enter the paths below under which SAML handler should listen to and redirect to login URL: /content/we-retail and /content/we-retail/
- IDP URL — Enter the Azure AD Login URL
- IDP Certificate Alias — Enter the certificate alias received after uploading the certificate in the global trust store.
- Service Provider Entity ID — Enter the Azure AD Identifier (Entity ID)
- Password of Key Store — The key store password entered while initializing key store above.
- User ID attribute — The SAML metadata attribute which will be used to create user and login to AEM. The list of attributes can be found in “App Federation Metadata URL” received from Azure AD. (Example : `nameidentifier`).
- Auto create CRX Users — Keeping it checked will create a user in AEM using the User ID attribute specified above.
- Add to Groups — Checking it will add the created/logged in users to the group name mentioned in the next property.
- Default Groups — The group name in which the created/logged in users will be added
- NameIDPolicy Format — Enter the following value : urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Synchronized attributes (Optional) — Mapping of user properties in AEM with the metadata attributes available in “App Federation Metadata URL” to persist in CRX
- Logout URL (Optional) — Azure AD Logout URL
Apache Sling Referrer Filter
Here we will configure the Apache “Sling Referrer Filter” configuration. Inside config manager, navigate to “Apache Sling Referrer Filter” and configure the following properties:
- Allow empty — Check the check box
- Allow Hosts — login.microsoftonline.com
- Allow Regex Hosts — login.microsoftonline.com
Adding Mixin Types in CRX
Here we will add some mixin type properties to content nodes in AEM under which SAML authentication handler should work. Since we are using the “We Retail” demo site,
Navigate to /content/we-retail and form the top rail click on “Mixin”.
Add the following mixin:
- rep:AccessControllable
- cq:ReplicationStatus
- granite:AuthenticationRequired
Click on Ok and the “Save All” from top rail.
You can now test by opening any link beneath /content/we-retail. For example:
http://localhost:4502/content/we-retail/language-masters/en.html
Note:- If the group is not configured before hand then the page will open up with Error 404 response code. This signifies that the user has logged in, however the use still needs permission to access it. Please configure the permissions at the group level. Refer the following snapshots.
You can check if the user has logged in or not by going into crxde.