Configuring AEM for Single Sign On (SSO) via Microsoft Azure AD

6 min readMay 31, 2021

Introduction

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.

SAML can be used to perform SSO authentication and authorization using Active Directory, OKTA etc. systems.

Brief about AEM and SAML

Adobe Experience Manager has inbuilt support to use SAML based authentication mechanism. It has the option of creating users in it, if required, and assigning them to a group for permissions related stuff after receiving the details from the “App Federation Metadata URL”.

Adobe Solution:

AEM 6.4-6.5

Installation:

JDK 1.8, AEM 6.4–6.5 author/publish/both

Azure Prerequisites:

Azure AD SAML Signing Certificate, Azure AD Login URL, Azure AD Logout URL, Azure AD Identifier (Entity ID), App Federation Metadata URL

AEM Prerequisites:

AEM enabled over SSL using TLS1.1 or above

Note:

We are enabling SAML based SSO authentication on We Retail website.

How It Works

Sign-up for Free Azure Account

You can create a free azure account Azure Account .

Creating Azure App

Navigate to Azure portal.

On the home screen Click on Azure Active Directory icon.

Select Enterprise application inside

2.4. In the search box, type Adobe Experience Manager, select Adobe Experience Manager from result panel then click Add button to add the application.

Click on create to create AEM application in Azure AD for SSO.

Useful link for Configuring Azure AEM Application

After creating application you will see following options on dashboard.By default name, application id and object id has been generated.

Click on set up single sign on “Get Started link”

Click on SAML configuration

Enter Basic SAML configuration

Click on edit

In the Identifier text box, type a unique value that you define on your AEM server as well.
In the Reply URL text box, type a URL using the following pattern: https://<AEM Server Url>/saml_login

On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

On the Set up Adobe Experience Manager section, copy the appropriate URL(s) as per your requirement.

2. Azure AD Identifier

3. Logout URL

Go to AEM Application created in earlier steps. On left side navigation select Users and groups.

Click on Add user/group button to add a new user

Search and select user and save it as shown below

Initialising Key Store (If not already done):

Go to Authentication Service User.

Initialise the key store by clicking on “Create KeyStore” as shown below.

Save the password for future use.

Installing Azure AD SAML Signing Certificate in AEM:

AEM 6.4–6.5 Author/Publish:

Open the Global Trust Store.

Click on “Add Certificate from CER file” and upload the certificate. Make sure to keep the “Map Certificate to User” text box as empty.

Copy the Alias name. This will be used later.

SAML Authentication Handler:

Here we will configure the “SAML Authentication Handler” configuration using the details from Microsoft Azure AD and the certificate Alias. Inside Config Manager, navigate to “Adobe Granite SAML 2.0 Authentication Handler” and configure the following properties:

Go to http://localhost:4502/system/console/configMgr and search for Adobe Granite SAML 2.0 Authentication Handler

Paths — Since we are using the “We Retail” demo site for this blog, enter the paths below under which SAML handler should listen to and redirect to login URL: /content/we-retail and /content/we-retail/
IDP URL — Enter the Azure AD Login URL
IDP Certificate Alias — Enter the certificate alias received after uploading the certificate in the global trust store.
Service Provider Entity ID — Enter the Azure AD Identifier (Entity ID)
Password of Key Store — The key store password entered while initializing key store above.
User ID attribute — The SAML metadata attribute which will be used to create user and login to AEM. The list of attributes can be found in “App Federation Metadata URL” received from Azure AD. (Example : `nameidentifier`).
Auto create CRX Users — Keeping it checked will create a user in AEM using the User ID attribute specified above.
Add to Groups — Checking it will add the created/logged in users to the group name mentioned in the next property.
Default Groups — The group name in which the created/logged in users will be added
NameIDPolicy Format — Enter the following value : urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Synchronized attributes (Optional) — Mapping of user properties in AEM with the metadata attributes available in “App Federation Metadata URL” to persist in CRX
Logout URL (Optional) — Azure AD Logout URL

Apache Sling Referrer Filter

Here we will configure the Apache “Sling Referrer Filter” configuration. Inside config manager, navigate to “Apache Sling Referrer Filter” and configure the following properties:

Allow empty — Check the check box
Allow Hosts — login.microsoftonline.com
Allow Regex Hosts — login.microsoftonline.com

Adding Mixin Types in CRX

Here we will add some mixin type properties to content nodes in AEM under which SAML authentication handler should work. Since we are using the “We Retail” demo site,

Navigate to /content/we-retail and form the top rail click on “Mixin”.

Add the following mixin:

rep:AccessControllable
cq:ReplicationStatus
granite:AuthenticationRequired

Click on Ok and the “Save All” from top rail.

You can now test by opening any link beneath /content/we-retail. For example:

http://localhost:4502/content/we-retail/language-masters/en.html

Note:- If the group is not configured before hand then the page will open up with Error 404 response code. This signifies that the user has logged in, however the use still needs permission to access it. Please configure the permissions at the group level. Refer the following snapshots.