Simple, Local SAML Integration With AEM + Gotchas | Perficient Digital

Simple, Local SAML Integration With AEM + Gotchas

If you’ve configured SAML with AEM and done a Google search on the matter, you’d have likely come across one of these lengthy examples: [1] [2] [3] [4] or looked at the Official AEM Doc for SAML integration. In this article, I’d like to show you 2 things:

  1. The fastest local SAML setup (which takes a couple of minutes). It might also be helpful for you to look at a working sample integration to test login behavior and other things quickly without necessarily understanding SAML or how it works.
  2. Some Gotchas from the Official AEM doc for SAML integration.

So let’s get to it!

The Fastest Local SAML Setup

(Github Repo)

For this, I’ve built a docker image with everything needed for the integration and documented the steps in the aem-saml Github repo.

If you follow the steps, it should take about 5 minutes to complete!

 

Gotchas from the Official AEM doc for SAML integration

Most notes below are for things that are NOT documented in the Official AEM Doc for SAML integration as of 06/24/2019. Adobe, if you’re seeing this, please update the docs.

 

Gotcha #1: Adding the IdP Certificate to the AEM TrustStore

From Adobe Docs for 6.5:That’s how you did that for AEM 6.3 and below.

For AEM 6.4+ this is should be done following my document here.

 

Gotcha #2: The Assertion Consumer Service URL

A good explanation of this URL can be found here.

Basically, this is the location on the Service Provider (in this case AEM) that accepts a SAML response. What Adobe does not tell you is that this location should be a URL ending with saml_login and should be provided to your IdP team to configure on their end. An example of this would be http://localhost:4502/content/saml_login or https://mycompany.com/content/saml/login.

Read more here, the section is titled: “The Path configuration and saml_login”

 

Gotcha #3: Add the Service Provider key and certificate chain to the AEM keystore

From Adobe Docs for 6.5:

This whole step is ONLY necessary if the SAML response is encrypted and is NOT related to the SAML certificate. This depends entirely on your IdP, if it does encrypt the SAML response, then ask your IdP team for the Private key and Certificate Chain. If your IdP does not encrypt SAML response, skip this step.

I will continue to update this list of gotchas as I think of more items.

That’s it for now! I wish you a painless AEM/SAML Integration

Leave a Reply