Enabling SSO with CQ5 – Part III

26 / Mar / 2014 by Geetika Chhabra 2 comments

In previous part , we discussed protecting CQ5 author instance when CQ5 acts as a service provider (SP). In this blog post, we’ll cover how to protect any published resource/website. We’ll be using Shibboleth SP for the same.

Necessary Steps: 

  1. Installing LDAP Server.
  2. Installing Shibboleth IdP.
  3. Installing Apache tomcat on Ubuntu.
  4. Configuring Shibboleth IdP.
  5. Installation of SP.
  6. Make Apache aware of shibboleth
  7. The configuration of Shibboleth SP and providing it to IdP.
  8. Protecting and accessing the CQ published resource.

Steps 1-4 have already been covered in Part  I. Subsequent steps are explained below :

  1. Installation of SP

Installing SP and it’s configuration was a bit difficult task for me as the existing documentation was not very clear. I would like to mention few important points and brief the installation steps below .

  • Installing Apache2

[shell]sudo apt-get install apache2[/shell]

  • Installing Shibboleth SP

Easiest way to install SP is via command line.

[shell]sudo apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas[/shell]

When the installation is completed, various components of Shibboleth will be placed in appropriate directories based on the OS file system layout. You may check:

  • Shibboleth configuration files will be placed at /etc/shibboleth/ and the necessary Apache configuration  in /etc/httpd/conf.d/shib.conf
  • shibd will be installed to /usr/sbin and may be managed using /sbin/service and /sbin/chkconfig
  • An appropriate version of mod_shib and other pluggable modules will be installed to /usr/lib/shibboleth/
  • Logs will be located in /var/log/shibboleth/shibd.log

The installation directory structure may vary depending upon the OS version/type you are using. It might happen that some of the folders/files mentioned above might not be present in your file system. In my case, I was not able to see /etc/httpd/conf.d/shib.conf file . If same thing happens with you, then make all apache related configurations in apache2.conf file as per the apache installation directory structure in your system.

  • Initial testing can be done by hitting the URL http://localhost/Shibboleth.sso/Status .

  1. Make Apache aware of Shibboleth

Tell apache where to find the mod_shib you just installed (assuming you are using Apache 2.2). Add the below line in apache2.conf file.

[shell] LoadModule mod_shib /usr/lib/apache2/modules/mod_shib_22.so [/shell]

Note : (For CQ only ) If you have enabled dispatcher, make sure you specify the above line before dispatcher loading i.e. shibd should load before dispatcher gets load.

  1. Configuration of Shibboleth SP and providing it to IdP.

The way shibboleth works is by running a daemon called shibd at the same time apache runs, and then mod_shib.so knows how to talk to shibd.

  • Configure /etc/shibboleth/shibboleth2.xml

    This file tells mod_shib and shibd all about your setup. It is probably already full of data, but be careful – you need to configure it to know which IdP you’re connecting to. Take a backup of the original file before directly editing this one.

    • Make sure the ‘entityID’ points at your machine. Update the entityID in  <ApplicationDefaults> tag as follows . (You can provide your own ID as well)

    [xml]&amp;lt;ApplicationDefaults REMOTE_USER=&amp;quot;eppn persistent-id targeted-id&amp;quot; entityID=&amp;quot;http://&amp;lt;your domain&amp;gt;/shibboleth&amp;quot;&amp;gt;[/xml]

    I’ll be using   as  the Entity Id.

    • Configure the IdP you want to use. Provide the entity ID of the IdP configured in part I or you can simply copy the entity ID present in <SAML_IDP_HOME>/metadata/idp-metadata.xml file

    [xml]&amp;lt;SSO entityID=&amp;quot;https://idp.intelligrape.com/idp/shibboleth&amp;quot;&amp;gt;SAML2 SAML1&amp;lt;/SSO&amp;gt;[/xml]

    • Also, specify from where the IdP’s metadata will come from. At the IdP server , copy its metadata file idp-metadata.xml located at <SAML_IDP_HOME>/metadata directory and place it at your SP server at location /etc/shibboleth/ directory. Add the below tag in /etc/shibboleth/shibboleth2.xml if not already present.

    [xml] &amp;lt;MetadataProvider type=&amp;quot;XML&amp;quot; file=&amp;quot;idp-metadata.xml&amp;quot;/&amp;gt;[/xml]

  • Configure SP’s Metadata file

    • If you read the instructions at the shibboleth site they seem to VERY STRONGLY IMPLY that you need to construct your own Metadata file for an SP. It is PARTLY true. To start off with, let provide a Metadata file for you. shibd will create one on-the-fly and serve it to you auto-matically.

    • Copy and paste the contents in a file say sp-metadata.xml. Save this file to the location <SAML_IDP_HOME>/metadata. Once you create or acquire metadata for SP, you must supply it to the IdP. Similarly, the IdP MUST supply its metadata to the SP which was already done in the previous step.

    • At IdP server add the following to the relying-party.xml file (at <SAML_IDP_HOME>/conf/) just after the IdP’s own metadata is defined:

    [xml]&amp;lt;metadata:MetadataProvider xsi:type=&amp;quot;FilesystemMetadataProvider&amp;quot; xmlns=&amp;quot;urn:mace:shibboleth:2.0:metadata&amp;quot;
    id=&amp;quot;SPMETADATA&amp;quot; metadataFile=&amp;quot;&amp;lt;SAML_IDP_HOME&amp;gt;/metadata/sp-metadata.xml&amp;quot;/&amp;gt;[/xml]

  • In relyingParty.xml, we need to specify the details of IdP’s metadata and any other service provider’s metadata file that relies on our IdP. IdP’s metadata file is already provided in Part I. While specifying the relying party and metadata of SP, value of Provider attribute in <rp:RelyingParty> tag should be the same as that of EntityId specified in above metadata file. Also, change encryptAssertions attribute to “never”.

    [xml]&amp;lt;rp:RelyingParty id=&amp;quot;my.domain.com&amp;quot; provider=&amp;quot;http://my.domain.com/shibboleth&amp;quot; defaultSigningCredentialRef=&amp;quot;IdPCredential&amp;quot;
    &amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2SSOProfile&amp;quot; inclu deAttributeStatement=&amp;quot;true&amp;quot;
    assertionLifetime=&amp;quot;PT5M&amp;quot; assertionProxyCount=&amp;quot;0&amp;quot;
    signResponses=&amp;quot;never&amp;quot; signAssertions=&amp;quot;always&amp;quot;
    encryptAssertions=&amp;quot;never&amp;quot; encryptNameIds=&amp;quot;never&amp;quot;
    &amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2ArtifactResolutio nProfile&amp;quot; signResponses=&amp;quot;never&amp;quot; signAssertions=&amp;quot;always&amp;quot;
    encryptAssertions=&amp;quot;never&amp;quot; encryptNameIds=&amp;quot;never&amp;quot;/&amp;gt;
    &amp;lt;/rp:RelyingParty&amp;gt; [/xml]

  • Modify the /etc/shibboleth/attribute-map.xml file to have list of all the attributes being released from IdP. There are already a lot of attributes mentioned in the file but are commented out. You can find out your own attribute and uncomment it or you can use the below.

[xml]&amp;lt;Attribute name=&amp;quot;urn:mace:dir:attribute-def:uid&amp;quot; id=&amp;quot;uid&amp;quot;/&amp;gt;[/xml]

  1. Protecting and accessing the CQ published resource.

    • In apache2.conf , enable the dispatcher if not already enabled. You can refer the existing documentation or this excellent blog can be followed.

    • We can use shibboleth to secure the published content. Only authenticated users can access a resource , otherwise the request should not be processed. Below is the block diagram for how the request is processed.

    •  In order to check that SP is working, protect a directory by acquiring a shibboleth session. Add the below in shib.conf (if present in your system) , otherwise you can specify the same in httpd.conf file. For ubuntu , you can specify it in the file where virtual hosts entries are present. In my case it was /etc/apache2/sites-available/default . It may vary depending upon the installation structure.

      [xml]&amp;lt;Location /path/to/secure/content&amp;gt;
      # this Location directive is what redirects apache over to the IdP.
      AuthType shibboleth
      ShibRequestSetting  requireSession 1
      require valid-user

      Note that the path mentioned in Location element is relative to the Directory root. A sample configuration can be found at the end of the document.

    • Try to  access the published page , you should be presented with a IDP login page. Pass the valid credentials to access the page.

Note that this configuration can be used to protect any cached website/directory. This implementation is not just limited to CQ.

Troubleshooting :

  • Please make sure to restart tomcat to reflect the changes you do in IdP’s configuration files. For starting/shutting tomcat , go to <TOMCAT_HOME>/bin and run the startup.sh/shutdown.sh respectively.

  • Restart apache server after every change in the apache.conf files.

  • If you have enabled dispatcher module for CQ, make sure you enable it for CQ cached directory only to avoid unwanted errors.

[xml]&amp;lt;Directory /path/to/CQ/cached/content&amp;gt;
&amp;lt;IfModule disp_apache2.c&amp;gt;
SetHandler dispatcher-handler
Options FollowSymLinks
AllowOverride None

  • When you access the published page, make sure not to specify the port no <4503>.

  • Sample Virtual Host Entry in apache configuration .

[xml]&amp;lt;VirtualHost *:80&amp;gt;
ServerAdmin webmaster@localhost
ServerName publish.intelligrape.com

DocumentRoot /var/cache/apache2/cq-cache
&amp;lt;Directory /&amp;gt;
Allow from all
Options FollowSymLinks MultiViews
AllowOverride None

&amp;lt;Location /content&amp;gt;
AuthType shibboleth
ShibRequireSession On
require valid-user

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
&amp;lt;/VirtualHost&amp;gt; [/xml]

Reference Links






comments (2)

  1. Tridib Bolar

    Thank you Geetika, the blog is really very helpful.
    I am facing an issue to integrate AEM 6.1 with OKTA SSO. I provide following configuration in OKTA end. 1) SP URL, 2) NameIDFormat – “urn:oasis:names:tc:SAML:2.0:nameid-format:transient” rest of the configurations are default. In AEM end I provide following information, 1) IDP URL (OKTA URL), 2) Service Provider Entity ID, 3) Create trust store by supplying the password & then upload the IdP certificate 4) Create KeyStore by supplying the password 5) Rest of the configuration I did as per the “http://www.aemstuff.com/blogs/july/saml.html” URL. But when I am trying to execute the AEM I am getting “com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request” warning and the screen is blinking continuously. I may have to provide some public or private key, but I am not sure who will provide that key and where I have to import that. Could you please help me on this issue?


  2. Vijay

    Thanks for your efforts, i found your blog very helpful.
    I have a question that definitely was not required to be covered in this blog but is a requirement in our scenario. The IDM we are connecting with only give us Authentication, for authorization we are relying on CQ. So how do I invoke a sling auth handler , create a CQ session and can get the user’s permission?


Leave a Reply

Your email address will not be published. Required fields are marked *