{"id":12066,"date":"2014-03-11T16:00:05","date_gmt":"2014-03-11T10:30:05","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=12066"},"modified":"2024-01-02T17:50:07","modified_gmt":"2024-01-02T12:20:07","slug":"enabling-sso-with-cq5-part-ii","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-ii\/","title":{"rendered":"Enabling SSO with CQ5  &#8211; Part II"},"content":{"rendered":"<div>\n<p>In <a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" target=\"_blank\" rel=\"noopener\">first part<\/a>\u00a0of our tri-part blog series ,\u00a0\u00a0we discussed about the installation and configuration of Shibboleth IdP. We&#8217;ll be focusing on the following two use cases :<\/p>\n<\/div>\n<div>\n<p>Use-Case I : Protecting CQ5 author instance when CQ5 acts as a service provider (SP).<\/p>\n<div>Use-Case II: Protecting any published resource\/website.<\/div>\n<\/div>\n<div><\/div>\n<div>This blogpost will target to provide the solution for the first use case and provide a way to protect CQ5 author instance.<\/div>\n<div><\/div>\n<div><strong>Basic Workflow:\u00a0<\/strong><\/div>\n<div><\/div>\n<div>When user accesses a protected resource, the SP determines if the user has an active session. If there is no valid session, SP will prepare an authentication request and send that\u00a0<strong>SAML\u00a0<\/strong>authentication request to IdP. Shibboleth IdP will check for valid session on its end, if no session exists, login screen will be presented to the user to enter the login credentials. IdP will in turn request LDAP for user credentials, fetches the necessary information, generates a SAML response and send it to SP. User is now trying again to access the protected resource, but this time the user has a session and SP knows who they are. SP will service the user\u2019s request and send back the requested data.<\/div>\n<div><\/div>\n<div><strong>AEM provides support for the SAML 2.0 Authentication Request and can act as a SAML service provider.<\/strong><\/div>\n<div><\/div>\n<div><\/div>\n<div><img decoding=\"async\" loading=\"lazy\" src=\"\/blog\/wp-ttn-blog\/uploads\/2024\/01\/imagew599amph218amprev175ampac1.png\" alt=\"\" width=\"599px;\" height=\"218px;\" \/><\/div>\n<div><\/div>\n<div><\/div>\n<div><strong>Necessary Steps \u00a0:\u00a0<\/strong><\/div>\n<div><\/div>\n<div>\n<ol>\n<li>Installing LDAP Server.<\/li>\n<li>Installing Shibboleth IdP.<\/li>\n<li>Installing Apache tomcat on Ubuntu.<\/li>\n<li>Configuring Shibboleth IdP.<\/li>\n<li>Creating the SP&#8217;s metadata file (AEM in this case )\u00a0\u00a0and providing it to IdP.<\/li>\n<li>AEM configuration.<\/li>\n<li>Accessing AEM author instance.<\/li>\n<\/ol>\n<\/div>\n<div>Steps 1-4 have already been covered in <a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" target=\"_blank\" rel=\"noopener\">Part \u00a0I<\/a>. Subsequent steps are explained below :<\/div>\n<div><\/div>\n<div>\n<ol start=\"5\">\n<li><strong>Creating the SP&#8217;s metadata file <strong>(AEM in this case )\u00a0<\/strong>and providing it to IdP.<\/strong><\/li>\n<\/ol>\n<ul>\n<li>As AEM is acting as an SP, it needs to provide it\u2019s metadata file to IdP. Create and open a file say <code>&lt;SAML_IDP_HOME&gt;metadata\/adobecq.xml<\/code>\u00a0and paste the below :<\/li>\n<\/ul>\n<\/div>\n<p>[xml]&amp;lt;md:EntityDescriptor xmlns:md=&amp;quot;urn:oasis:names:tc:SAML:2.0:metadata&amp;quot; xmlns:ds=&amp;quot;http:\/\/www.w3.org\/2000\/09\/xmldsig#&amp;quot; entityID=&amp;quot;https:\/\/sp.intelligrape.com&amp;quot;&amp;gt;<\/p>\n<p> &amp;lt;md:SPSSODescriptor protocolSupportEnumeration=&amp;quot;urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol&amp;quot;&amp;gt;<br \/>\n &amp;lt;md:KeyDescriptor&amp;gt;<br \/>\n &amp;lt;ds:KeyInfo xmlns:ds=&amp;quot;http:\/\/www.w3.org\/2000\/09\/xmldsig#&amp;quot; Id=&amp;quot;SPInfo&amp;quot;&amp;gt;<br \/>\n &amp;lt;ds:X509Data&amp;gt;<br \/>\n &amp;lt;ds:X509Certificate&amp;gt;<br \/>\n\/\/copy the public key from &amp;lt;SAML_IDP_HOME&amp;gt;\/credentials\/idp.crt and paste here<br \/>\n &amp;lt;\/ds:X509Certificate&amp;gt;<br \/>\n &amp;lt;\/ds:X509Data&amp;gt;<br \/>\n &amp;lt;\/ds:KeyInfo&amp;gt;<br \/>\n &amp;lt;\/md:KeyDescriptor&amp;gt;<\/p>\n<p>&amp;lt;SingleLogoutService<br \/>\n Binding=&amp;quot;urn:oasis:names:tc:SAML:2.0:bindings:SOAP&amp;quot;<br \/>\n Location=&amp;quot;http:\/\/idp.intelligrape.com\/Shibboleth.sso\/SLO\/SOAP&amp;quot; xmlns=&amp;quot;urn:oasis:names:tc:SAML:2.0:metadata&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;SingleLogoutService<br \/>\n Binding=&amp;quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect&amp;quot;<br \/>\n Location=&amp;quot;http:\/\/idp.intelligrape.com\/Shibboleth.sso\/SLO\/Redirect&amp;quot; xmlns=&amp;quot;urn:oasis:names:tc:SAML:2.0:metadata&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;SingleLogoutService<br \/>\n Binding=&amp;quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&amp;quot;<br \/>\n Location=&amp;quot;http:\/\/idp.intelligrape.com\/Shibboleth.sso\/SLO\/POST&amp;quot; xmlns=&amp;quot;urn:oasis:names:tc:SAML:2.0:metadata&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;SingleLogoutService<br \/>\n Binding=&amp;quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact&amp;quot;<br \/>\n Location=&amp;quot;http:\/\/idp.intelligrape.com\/Shibboleth.sso\/SLO\/Artifact&amp;quot; xmlns=&amp;quot;urn:oasis:names:tc:SAML:2.0:metadata&amp;quot;\/&amp;gt;<\/p>\n<p>&amp;lt;md:AssertionConsumerService Binding=&amp;quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&amp;quot; Location=&amp;quot;http:\/\/localhost:4502\/saml_login&amp;quot; index=&amp;quot;1&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;\/md:SPSSODescriptor&amp;gt;<br \/>\n&amp;lt;\/md:EntityDescriptor&amp;gt; [\/xml]<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">In relyingParty.xml, we need to specify the details of IdP&#8217;s metadata and any other service provider&#8217;s metadata file that relies on our IdP. IdP&#8217;s metadata file is already provided in <a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" target=\"_blank\" rel=\"nofollow noopener\">Part I<\/a>. While specifying the relying party and metadata of AEM (SP), value of Provider attribute in <code>&lt;rp:RelyingParty&gt;<\/code> tag should be the same as that of <em>EntityId<\/em> specified in above metadata file. Also, change <code>encryptAssertions<\/code> attribute to &#8220;never&#8221;.<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;lt;rp:RelyingParty id=&amp;quot;sp.intelligrape.com&amp;quot; provider=&amp;quot;https:\/\/sp.intelligrape.com&amp;quot; defaultSigningCredentialRef=&amp;quot;IdPCredential&amp;quot;<br \/>\n defaultAuthenticationMethod=&amp;quot;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&amp;quot;&amp;gt;<br \/>\n &amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2SSOProfile&amp;quot; includeAttributeStatement=&amp;quot;true&amp;quot;<br \/>\n assertionLifetime=&amp;quot;PT5M&amp;quot; assertionProxyCount=&amp;quot;0&amp;quot;<br \/>\n signResponses=&amp;quot;never&amp;quot; signAssertions=&amp;quot;always&amp;quot;<br \/>\n encryptAssertions=&amp;quot;never&amp;quot; encryptNameIds=&amp;quot;never&amp;quot;<br \/>\n includeConditionsNotBefore=&amp;quot;true&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2ArtifactResolutionProfile&amp;quot;<br \/>\n signResponses=&amp;quot;never&amp;quot; signAssertions=&amp;quot;always&amp;quot;<br \/>\n encryptAssertions=&amp;quot;&amp;lt;strong&amp;gt;never&amp;lt;\/strong&amp;gt;&amp;quot; encryptNameIds=&amp;quot;never&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2LogoutRequestProfile&amp;quot;<br \/>\n signResponses=&amp;quot;conditional&amp;quot;\/&amp;gt;<br \/>\n &amp;lt;\/rp:RelyingParty&amp;gt;[\/xml]<\/p>\n<ul>\n<li>\n<p dir=\"ltr\">Provide the AEM&#8217;s metadata file created in above step to IdP:<\/p>\n<\/li>\n<\/ul>\n<p>[xml]&amp;lt;metadata:MetadataProvider id=&amp;quot;CQMETADATA&amp;quot; xsi:type=&amp;quot;metadata:FilesystemMetadataProvider&amp;quot;<br \/>\n metadataFile=&amp;quot;\/opt\/shibboleth-idp\/metadata\/adobecq.xml&amp;quot;<br \/>\n maxRefreshDelay=&amp;quot;P1D&amp;quot; \/&amp;gt;[\/xml]<\/p>\n<ol start=\"6\">\n<li><strong>\u00a0AEM configuration.<\/strong><\/li>\n<\/ol>\n<p>For better understanding of SAML 2.0 Authentication Handler, please go through the <a href=\"http:\/\/dev.day.com\/content\/docs\/en\/cq\/current\/core\/administering\/saml-2-0-authenticationhandler.html\">official documentation<\/a> . As mentioned in documentation, we need to provide the public and private keys to AEM. After creating a node named <code>saml<\/code> under <code>\/etc\/key<\/code><\/p>\n<ul>\n<li><span style=\"color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, 'Nimbus Sans L', sans-serif; font-style: normal;\">Create a binary property <code>idp_cert<\/code> inside this node and upload the <code>idp.crt<\/code> file from <code>&lt;SAML_IDP_HOME&gt;\/credentials\/idp.crt<\/code> path.<\/span><\/li>\n<li><span style=\"color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, 'Nimbus Sans L', sans-serif; font-style: normal;\">Create a binary property <code>private<\/code> inside this node .Upload the below mentioned \u00a0newly converted key here.The private key must be in PKCS8 format. \u00a0To convert a PEM encoded private key to PKCS8 with openssl :<\/span><\/li>\n<\/ul>\n<p>[shell]openssl pkcs8 -topk8 -inform PEM -outform DER -in idp.key \u00a0-nocrypt &amp;gt; pkcs8.key[\/shell]<\/p>\n<p dir=\"ltr\">where <code>idp.key<\/code> is the key that needs to be converted and <code>pkcs8.key<\/code> is the resulted key after conversion.<\/p>\n<ul>\n<li>Update the\u00a0<em>ReferrerFilter<\/em>,add the\u00a0<code style=\"font-style: inherit;\">&lt;IDP Hostname&gt;<\/code>\u00a0in allow hosts property.<\/li>\n<\/ul>\n<p>In\u00a0<em>Adobe Granite SAML 2.0 Authentication handler :<\/em><\/p>\n<ul>\n<li>Set the <em>IdP URL<\/em> to the path where the SAML authentication request should be sent to or simply paste the below : <\/li>\n<li>\n<p dir=\"ltr\">Set the <em>SP provider id<\/em> to the ID specified in above metadata file (<em>adobecq.xml<\/em>) i.e. <\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">Uncheck the <code>Use Encryption property<\/code> in <em>Adobe Granite SAML 2.0 Authentication Handler.<\/em><\/p>\n<\/li>\n<li>\n<p dir=\"ltr\"><em>User Id<\/em> attribute&#8217;s value should be the same as the ID of the\u00a0<code>&lt;SAML Attribute &gt;<\/code> that contains the user id to authenticate the user.<\/p>\n<\/li>\n<li>\n<p dir=\"ltr\">For <em>GroupMembership<\/em> property , provide the id of the <code>&lt;SAML Attribute &gt;<\/code> here which will contain the list of groups to which the user will be added to after creation. You can add an attribute called <em>\u201cOU\u201d<\/em> in user profiles maintained in LDAP. Value of this attribute should be the valid group name present in CRX. Make sure you release the attribute and do the necessary configuration needed in<code> &lt;SAML_IDP_HOME&gt;\/conf\/attribute-resolver.xml<\/code> and <code>&lt;SAML_IDP_HOME&gt;\/conf\/attribute-filter.xml<\/code>files. Refer <a href=\"http:\/\/www.tothenew.com\/blog\/enabling-sso-with-cq5-part-i\/\" rel=\"nofollow\">Part I<\/a>\u00a0for more details. <strong>Please note that the value of the GroupMembership property should be the same as you provide the ID of the attribute <em>\u201cOU\u201d<\/em> in <code style=\"font-style: inherit;\">attribute-resolver.xml<\/code> file.<\/strong><\/p>\n<\/li>\n<\/ul>\n<p>Refer the below image :<\/p>\n<ol start=\"7\">\n<li><strong>Accessing AEM author instance.\u00a0<\/strong><\/li>\n<\/ol>\n<ul>\n<li>\n<p dir=\"ltr\">Making a request to AEM at <em>http:\/\/&lt;host&gt;:&lt;port&gt;\/<\/em>\u00a0should redirect to IdP login page . Try to login with valid user profiles maintained in LDAP. You should be able to login if credentials are valid and all the above configuration is correct.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><strong>Troubleshooting Steps:<\/strong><\/p>\n<ol>\n<li>\n<p dir=\"ltr\">After getting the IdP login screen, you log in using an LDAP user credential and are presented with a 404 error code and an error stack trace on welcome page.<\/p>\n<\/li>\n<\/ol>\n<p dir=\"ltr\">This means that the imported user does not have appropriate READ permissions. You could give READ permission to this user, although the appropriate way would be to give READ permission to the group <em>(say &#8220;iggroup&#8221;)<\/em> to which imported LDAP users are assigned as members.It can be achieved by creating a group \u201c<em>iggroup<\/em>\u201d as member of the \u201ccontributor\u201d group so that \u201ciggroup\u201d inherits the default permissions from the \u201ccontributor\u201d group. In <em>SAML authentication handler service<\/em> , we specify the <em>group membership<\/em> attribute which will contain the list of groups the newly created user will be added to. To achieve this, add an attribute say <em>ou<\/em> in LDAP user profile , and specify the same attribute name in IdP <code>attribute-filter.xml<\/code> file. The id specified in <code>attribute-filter.xml<\/code> will be used as the value for groupMembership attribute in SAML handler.<\/p>\n<ol start=\"2\">\n<li>If IdP login page doesn&#8217;t appear , cross check the configuration again.<\/li>\n<\/ol>\n<p dir=\"ltr\">References :<\/p>\n<p dir=\"ltr\">http:\/\/helpx.adobe.com\/experience-manager\/kb\/saml-demo.html<\/p>\n<p dir=\"ltr\">\n<p dir=\"ltr\">http:\/\/dev.day.com\/content\/docs\/en\/cq\/current\/core\/administering\/saml-2-0-authenticationhandler.html<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In first part\u00a0of our tri-part blog series ,\u00a0\u00a0we discussed about the installation and configuration of Shibboleth IdP. We&#8217;ll be focusing on the following two use cases : Use-Case I : Protecting CQ5 author instance when CQ5 acts as a service provider (SP). Use-Case II: Protecting any published resource\/website. This blogpost will target to provide the [&hellip;]<\/p>\n","protected":false},"author":110,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":11},"categories":[1],"tags":[4847,258,1205,1245,1339,1338],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/12066"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/110"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=12066"}],"version-history":[{"count":1,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/12066\/revisions"}],"predecessor-version":[{"id":59906,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/12066\/revisions\/59906"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=12066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=12066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=12066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}