{"id":11944,"date":"2014-03-26T16:17:48","date_gmt":"2014-03-26T10:47:48","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=11944"},"modified":"2024-01-02T17:50:05","modified_gmt":"2024-01-02T12:20:05","slug":"enabling-sso-with-cq5-part-iii","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-iii\/","title":{"rendered":"Enabling SSO with CQ5 \u2013 Part III"},"content":{"rendered":"<p dir=\"ltr\">In <a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-ii\/\" target=\"_blank\" rel=\"nofollow noopener\">previous part<\/a>\u00a0, we discussed protecting <a title=\"AEM Development Services\" href=\"http:\/\/www.tothenew.com\/wcm\/cq-aem-development-consulting\">CQ5 author instance<\/a> when CQ5 acts as a service provider (SP). In this blog post, we&#8217;ll cover how to protect any published resource\/website. We&#8217;ll be using\u00a0<span style=\"color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, 'Nimbus Sans L', sans-serif; font-style: normal;\"><strong>Shibboleth SP<\/strong> for the same.<\/span><\/p>\n<p dir=\"ltr\"><strong>Necessary Steps:\u00a0<\/strong><\/p>\n<div>\n<ol>\n<li>Installing LDAP Server.<\/li>\n<li>Installing Shibboleth IdP.<\/li>\n<li>Installing Apache tomcat on Ubuntu.<\/li>\n<li>Configuring Shibboleth IdP.<\/li>\n<li>Installation of SP.<\/li>\n<li>Make Apache aware of shibboleth<\/li>\n<li>The configuration of Shibboleth SP and providing it to IdP.<\/li>\n<li>Protecting and accessing the CQ published resource.<\/li>\n<\/ol>\n<p>Steps 1-4 have already been covered in\u00a0<a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" target=\"_blank\" rel=\"nofollow noopener\">Part \u00a0I<\/a>. Subsequent steps are explained below :<\/p>\n<\/div>\n<ol start=\"5\">\n<li>\n<p dir=\"ltr\"><strong>Installation of SP<\/strong><\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\">Installing SP and it\u2019s configuration was a bit difficult task for me as the existing documentation was not very clear. I would like to mention few important points and brief the installation steps below .<\/p>\n<ul>\n<li>\n<p dir=\"ltr\"><strong>Installing Apache2<\/strong><\/p>\n<\/li>\n<\/ul>\n<p>[shell]sudo apt-get install apache2[\/shell]<\/p>\n<ul>\n<li>\n<p dir=\"ltr\"><strong>Installing Shibboleth SP<\/strong><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\">Easiest way to install SP is via command line.<\/p>\n<p>[shell]sudo apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas[\/shell]<\/p>\n<p dir=\"ltr\">When the installation is completed, various components of Shibboleth will be placed in appropriate directories based on the OS file system layout. You may check:<\/p>\n<ul>\n<li>Shibboleth configuration files will be placed at <code style=\"font-style: inherit;\">\/etc\/shibboleth\/<\/code> and the necessary Apache configuration \u00a0in <code style=\"font-style: inherit;\">\/etc\/httpd\/conf.d\/shib.conf<\/code><\/li>\n<li>shibd will be installed to <code style=\"font-style: inherit;\">\/usr\/sbin<\/code> and may be managed using <code style=\"font-style: inherit;\">\/sbin\/service<\/code> and <code style=\"font-style: inherit;\">\/sbin\/chkconfig<\/code><\/li>\n<li>An appropriate version of <code style=\"font-style: inherit;\">mod_shib<\/code> and other pluggable modules will be installed to <code style=\"font-style: inherit;\">\/usr\/lib\/shibboleth\/<\/code><\/li>\n<li>Logs will be located in <code style=\"font-style: inherit;\">\/var\/log\/shibboleth\/shibd.log<\/code><\/li>\n<\/ul>\n<p dir=\"ltr\">The installation directory structure may vary depending upon the OS version\/type you are using. It might happen that some of the folders\/files mentioned above might not be present in your file system. In my case, I was not able to see <code>\/etc\/httpd\/conf.d\/shib.conf<\/code> file . If same thing happens with you, then make all apache related configurations in <code>apache2.conf<\/code> file as per the apache installation directory structure in your system.<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">Initial testing can be done by hitting the URL http:\/\/localhost\/Shibboleth.sso\/Status .<\/p>\n<\/li>\n<\/ul>\n<ol start=\"6\">\n<li>\n<p dir=\"ltr\"><strong>Make Apache aware of Shibboleth<\/strong><\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\">Tell apache where to find the <code>mod_shib<\/code> you just installed (assuming you are using Apache 2.2). Add the below line in <code>apache2.conf<\/code> file.<\/p>\n<p>[shell] LoadModule mod_shib \/usr\/lib\/apache2\/modules\/mod_shib_22.so [\/shell]<\/p>\n<p dir=\"ltr\">Note : (For CQ only ) If you have enabled dispatcher, make sure you specify the above line before dispatcher loading i.e. shibd should load before dispatcher gets load.<\/p>\n<ol start=\"7\">\n<li>\n<p dir=\"ltr\"><strong>Configuration of Shibboleth SP and providing it to IdP.<\/strong><\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\">The way shibboleth works is by running a daemon called <code>shibd<\/code> at the same time apache runs, and then <code>mod_shib.so<\/code> knows how to talk to <code>shibd<\/code>.<\/p>\n<ul>\n<li>\n<p dir=\"ltr\"><strong>Configure <code>\/etc\/shibboleth\/shibboleth2.xml<\/code><\/strong><\/p>\n<p dir=\"ltr\">This file tells <code>mod_shib<\/code> and <code>shibd<\/code> all about your setup. It is probably already full of data, but be careful &#8211; you need to configure it to know which IdP you&#8217;re connecting to. Take a backup of the original file before directly editing this one.<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">Make sure the &#8216;entityID&#8217; points at your machine. Update the <code>entityID<\/code> in \u00a0<code>&lt;ApplicationDefaults&gt;<\/code> tag as follows . (You can provide your own ID as well)<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;amp;lt;ApplicationDefaults REMOTE_USER=&amp;amp;quot;eppn persistent-id targeted-id&amp;amp;quot; entityID=&amp;amp;quot;http:\/\/&amp;amp;lt;your domain&amp;amp;gt;\/shibboleth&amp;amp;quot;&amp;amp;gt;[\/xml]<\/p>\n<p>I&#8217;ll be using \u00a0 as \u00a0the Entity Id.<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">Configure the IdP you want to use. Provide the entity ID of the IdP configured in <a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" target=\"_blank\" rel=\"nofollow noopener\">part I<\/a> or you can simply copy the entity ID present in <code>&lt;SAML_IDP_HOME&gt;\/metadata\/idp-metadata.xml<\/code> file<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;amp;lt;SSO entityID=&amp;amp;quot;https:\/\/idp.intelligrape.com\/idp\/shibboleth&amp;amp;quot;&amp;amp;gt;SAML2 SAML1&amp;amp;lt;\/SSO&amp;amp;gt;[\/xml]<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">Also, specify from where the IdP&#8217;s metadata will come from. At the IdP server , copy its metadata file <code>idp-metadata.xml<\/code> located at <code>&lt;SAML_IDP_HOME&gt;\/metadata<\/code> directory and place it at your SP server at location <code>\/etc\/shibboleth\/<\/code> directory. Add the below tag in\u00a0<strong><code>\/etc\/shibboleth\/shibboleth2.xml<\/code><\/strong>\u00a0if not already present.<\/p>\n<\/li>\n<\/ul>\n<p>[xml] &amp;amp;lt;MetadataProvider type=&amp;amp;quot;XML&amp;amp;quot; file=&amp;amp;quot;idp-metadata.xml&amp;amp;quot;\/&amp;amp;gt;[\/xml]<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\"><strong>Configure SP&#8217;s Metadata file<\/strong><\/p>\n<ul>\n<li>\n<p dir=\"ltr\">If you read the instructions at the shibboleth site they seem to VERY STRONGLY IMPLY that you need to construct your own Metadata file for an SP. It is PARTLY true. To start off with, let provide a Metadata file for you. <code>shibd<\/code> will create one on-the-fly and serve it to you auto-matically.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">Copy and paste the contents in a file say <code>sp-metadata.xml<\/code>. Save this file to the location <code>&lt;SAML_IDP_HOME&gt;\/metadata<\/code>. Once you create or acquire metadata for SP, you must supply it to the IdP. Similarly, the IdP MUST supply its metadata to the SP which was already done in the previous step.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">At IdP server add the following to the <code>relying-party.xml<\/code> file (at &lt;SAML_IDP_HOME&gt;\/conf\/) just after the IdP\u2019s own metadata is defined:<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;amp;lt;metadata:MetadataProvider xsi:type=&amp;amp;quot;FilesystemMetadataProvider&amp;amp;quot; xmlns=&amp;amp;quot;urn:mace:shibboleth:2.0:metadata&amp;amp;quot;<br \/>\nid=&amp;amp;quot;SPMETADATA&amp;amp;quot; metadataFile=&amp;amp;quot;&amp;amp;lt;SAML_IDP_HOME&amp;amp;gt;\/metadata\/sp-metadata.xml&amp;amp;quot;\/&amp;amp;gt;[\/xml]<\/p>\n<\/li>\n<li>In <strong>relyingParty.xml<\/strong>, we need to specify the details of IdP\u2019s metadata and any other service provider\u2019s metadata file that relies on our IdP. IdP\u2019s metadata file is already provided in\u00a0<a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" target=\"_blank\" rel=\"noopener\">Part I<\/a>. While specifying the relying party and metadata of SP, value of Provider attribute in\u00a0<code style=\"font-style: inherit;\">&lt;rp:RelyingParty&gt;<\/code>\u00a0tag should be the same as that of\u00a0<em>EntityId<\/em>\u00a0specified in above metadata file. Also, change\u00a0<code style=\"font-style: inherit;\">encryptAssertions<\/code>\u00a0attribute to \u201cnever\u201d.\n<p>[xml]&amp;amp;lt;rp:RelyingParty id=&amp;amp;quot;my.domain.com&amp;amp;quot; provider=&amp;amp;quot;http:\/\/my.domain.com\/shibboleth&amp;amp;quot; defaultSigningCredentialRef=&amp;amp;quot;IdPCredential&amp;amp;quot;<br \/>\n defaultAuthenticationMethod=&amp;amp;quot;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&amp;amp;quot;&amp;amp;gt;<br \/>\n &amp;amp;lt;rp:ProfileConfiguration xsi:type=&amp;amp;quot;saml:SAML2SSOProfile&amp;amp;quot; inclu deAttributeStatement=&amp;amp;quot;true&amp;amp;quot;<br \/>\n assertionLifetime=&amp;amp;quot;PT5M&amp;amp;quot; assertionProxyCount=&amp;amp;quot;0&amp;amp;quot;<br \/>\n signResponses=&amp;amp;quot;never&amp;amp;quot; signAssertions=&amp;amp;quot;always&amp;amp;quot;<br \/>\n encryptAssertions=&amp;amp;quot;never&amp;amp;quot; encryptNameIds=&amp;amp;quot;never&amp;amp;quot;<br \/>\n includeConditionsNotBefore=&amp;amp;quot;true&amp;amp;quot;\/&amp;amp;gt;<br \/>\n &amp;amp;lt;rp:ProfileConfiguration xsi:type=&amp;amp;quot;saml:SAML2ArtifactResolutio nProfile&amp;amp;quot; signResponses=&amp;amp;quot;never&amp;amp;quot; signAssertions=&amp;amp;quot;always&amp;amp;quot;<br \/>\n encryptAssertions=&amp;amp;quot;never&amp;amp;quot; encryptNameIds=&amp;amp;quot;never&amp;amp;quot;\/&amp;amp;gt;<br \/>\n &amp;amp;lt;\/rp:RelyingParty&amp;amp;gt; [\/xml]<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">Modify the <code>\/etc\/shibboleth\/attribute-map.xml<\/code> file to have list of all the attributes being released from IdP. There are already a lot of attributes mentioned in the file but are commented out. You can find out your own attribute and uncomment it or you can use the below.<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;amp;lt;Attribute name=&amp;amp;quot;urn:mace:dir:attribute-def:uid&amp;amp;quot; id=&amp;amp;quot;uid&amp;amp;quot;\/&amp;amp;gt;[\/xml]<\/p>\n<ol start=\"8\">\n<li>\n<p dir=\"ltr\" style=\"font-weight: inherit;\"><strong>Protecting and accessing the CQ published resource.<\/strong><\/p>\n<ul style=\"font-weight: inherit;\">\n<li>\n<p dir=\"ltr\">In apache2.conf , enable the dispatcher if not already enabled. You can refer the\u00a0<a href=\"http:\/\/dev.day.com\/docs\/en\/cq\/current\/deploying\/dispatcher.html\">existing documentation<\/a>\u00a0or this\u00a0<a href=\"http:\/\/www.tothenew.com\/blog\/aem-dispatcher-setup-for-linux\/\" target=\"_blank\" rel=\"noopener\">excellent blog<\/a>\u00a0can be followed.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">We can use shibboleth to secure the published content. Only authenticated users can access a resource , otherwise the request should not be processed. Below is the block diagram for how the request is processed.<\/p>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"\/blog\/wp-ttn-blog\/uploads\/2024\/01\/imagew599amph503amprev1065ampac1.png\" alt=\"\" width=\"599px;\" height=\"503px;\" \/><\/p>\n<ul>\n<li>\n<p dir=\"ltr\">\u00a0In order to check that SP is working, protect a directory by acquiring a shibboleth session. Add the below in\u00a0<code>shib.conf<\/code>\u00a0(if present in your system) , otherwise you can specify the same in\u00a0<code>httpd.conf<\/code>\u00a0file. For ubuntu , you can specify it in the file where virtual hosts entries are present. In my case it was\u00a0<code>\/etc\/apache2\/sites-available\/default<\/code>\u00a0. It may vary depending upon the installation structure.<\/p>\n<p>[xml]&amp;amp;lt;Location \/path\/to\/secure\/content&amp;amp;gt;<br \/>\n# this Location directive is what redirects apache over to the IdP.<br \/>\nAuthType shibboleth<br \/>\nShibRequestSetting \u00a0requireSession 1<br \/>\nrequire valid-user<br \/>\n&amp;amp;lt;\/Location&amp;amp;gt;[\/xml]<\/p>\n<p dir=\"ltr\">Note that the path mentioned in Location element is relative to the Directory root. A sample configuration can be found at the end of the document.<\/p>\n<\/li>\n<li>Try to \u00a0access the published page , you should be presented with a IDP login page. Pass the valid credentials to access the page.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p dir=\"ltr\"><strong>Note that this configuration can be used to protect any cached website\/directory. This implementation is not just limited to CQ.<\/strong><\/p>\n<p dir=\"ltr\"><strong>Troubleshooting :<\/strong><\/p>\n<ul>\n<li>\n<p dir=\"ltr\">Please make sure to restart tomcat to reflect the changes you do in IdP\u2019s configuration files. For starting\/shutting tomcat , go to &lt;TOMCAT_HOME&gt;\/bin and run the startup.sh\/shutdown.sh respectively.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">Restart apache server after every change in the apache.conf files.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">If you have enabled dispatcher module for CQ, make sure you enable it for CQ cached directory only to avoid unwanted errors.<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;amp;lt;Directory \/path\/to\/CQ\/cached\/content&amp;amp;gt;<br \/>\n&amp;amp;lt;IfModule disp_apache2.c&amp;amp;gt;<br \/>\nSetHandler dispatcher-handler<br \/>\n&amp;amp;lt;\/IfModule&amp;amp;gt;<br \/>\nOptions FollowSymLinks<br \/>\nAllowOverride None<br \/>\n&amp;amp;lt;\/Directory&amp;amp;gt;[\/xml]<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">When you access the published page, make sure not to specify the port no &lt;4503&gt;.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">Sample Virtual Host Entry in apache configuration .<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;amp;lt;VirtualHost *:80&amp;amp;gt;<br \/>\nServerAdmin webmaster@localhost<br \/>\nServerName publish.intelligrape.com<\/p>\n<p>DocumentRoot \/var\/cache\/apache2\/cq-cache<br \/>\n&amp;amp;lt;Directory \/&amp;amp;gt;<br \/>\nAllow from all<br \/>\nOptions FollowSymLinks MultiViews<br \/>\nAllowOverride None<br \/>\n&amp;amp;lt;\/Directory&amp;amp;gt;<\/p>\n<p>&amp;amp;lt;Location \/content&amp;amp;gt;<br \/>\nAuthType shibboleth<br \/>\nShibRequireSession On<br \/>\nrequire valid-user<br \/>\n&amp;amp;lt;\/Location&amp;amp;gt;<\/p>\n<p>ErrorLog ${APACHE_LOG_DIR}\/error.log<br \/>\nLogLevel warn<br \/>\nCustomLog ${APACHE_LOG_DIR}\/access.log combined<br \/>\n&amp;amp;lt;\/VirtualHost&amp;amp;gt; [\/xml]<\/p>\n<p><strong>Reference Links<\/strong><\/p>\n<p dir=\"ltr\">http:\/\/csrdu.org\/blog\/2011\/07\/04\/shibboleth-idp-sp-installation-configuration\/<\/p>\n<p dir=\"ltr\">http:\/\/www.jeesty.com\/shibboleth<\/p>\n<p dir=\"ltr\">https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/Installation<\/p>\n<p dir=\"ltr\">http:\/\/www.switch.ch\/aai\/support\/serviceproviders\/sp-access-rules.html<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In previous part\u00a0, we discussed protecting CQ5 author instance when CQ5 acts as a service provider (SP). In this blog post, we&#8217;ll cover how to protect any published resource\/website. We&#8217;ll be using\u00a0Shibboleth SP for the same. Necessary Steps:\u00a0 Installing LDAP Server. Installing Shibboleth IdP. Installing Apache tomcat on Ubuntu. Configuring Shibboleth IdP. Installation of SP. [&hellip;]<\/p>\n","protected":false},"author":110,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":4},"categories":[1],"tags":[4847,258,1207,1245,1339,1338],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/11944"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/110"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=11944"}],"version-history":[{"count":1,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/11944\/revisions"}],"predecessor-version":[{"id":59904,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/11944\/revisions\/59904"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=11944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=11944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=11944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}