The Beauty of SSO and AEM — Part 2

In continuation to the previous article: Part-1: The Beauty of SSO and AEM. Let’s jump into more detail about the implementation of each step to configure, set up, and complete Okta and AEM.

Setting up the Okta application:

Step 1: Create a new application in Okta.

• Go to the admin panel: https://your-id.okta.com/admin/dashboard.
• Select Applications -> Applications, click Add Application and then Create New App.
• Select Web and SAML 2.0 (fig.1)

Fig. 1

Step 2: Configure SAML settings in Okta app

The following information will be required to set up the application in Okta properly.

• Single Sign-On URL: https://your-domain.com/saml_login
• Recipient URL: https://your-domain.com/saml_login
• Destination URL: https://your-domain.com/saml_login
• Audience Restriction: your-domain.com (this can be anything unique)
• Single Logout URL: https://your-domain.com/saml_logout

Step 3: Configure Advanced Settings

• Click Show Advanced settings
• Generate AEM certificate ( How to generate a certificate )
• Fill out the form according to the screenshot below

Step 4: Assign Groups & Users to the Application

• Once the application is set up, click on the setup instructions to fetch the IdP Single Sign-On URL and download the IdP certificate, which will be used in later steps. (fig. 2)

Fig.2

AEM configuration

*Below configurations are done on AEM publish instance.

Step 1: Create Trust Store Certificate

1. Log into the AEM Publish instance.
2. Configure Okta certificate in the AEM trust store (Tools -> Security -> Trust Store).
3. Create a Trust Store and upload okta.cert & submit

*Make a note of the autogenerated alias, which will be required later in the SAML Authentication Handler config

Trust Store Certificate

Step 2: Configure Authentication Service

1. Navigate to Authentication Service (Tools -> Security -> Users and find authentication service)
2. Create a new Keystore
3. The naming of the alias should be unique

*Make a note of the aliases, which will be required later in SAML Authentication Handler config.

Authentication Service Screen

Step 3: Configure SAML Authentication Handler

Fill in the following information to complete the configuration of SAML Auth Handler.

1. Path — path to content
2. IDP URL — Single Sign-On URL received from the creation of the Okta application
3. IDP Certificate Alias — Certificate Alias generated from the creation of the Trust Store Key
4. Service Provider Entity ID — Unique identifier provided in Okta configuration called Audience Restriction
5. SP Private Key Alias — The alias set in the Authentication Service creation
6. Password of Key Store — The password used during Trust Store certificate creation
7. Use Encryption — Set as Unchecked
8. Autocreate CRX Users — Set as checked to allow auto-creation of AEM users
9. Add to Groups — Set as checked to associate newly created AEM users to AEM group
10. Synchronized Attributes — use the following mapping of the attributes between Okta and AEM (AEM=Okta)

• email=profile/email
• familyName=profile/familyName
• givenName=profile/givenName

11. Handle Logout — Set as checked

Step 4: Configure Apache Sling Referrer Filter

1. Allow Empty — Set as checked
2. Specify Allowed hosts — Host URL supplied from your-id.okta.com and or your-id.oktapreview.com

Step 5: Configure Sling Authentication Serviced

1. Allow Anonymous Access — Set as checked
2. Authentication Requirements — URL to protected content

That concludes all the necessary steps to get SSO working with Okta and AEM. If you run into issues, check out the below to find tools and potential suggestions for common blockers. If not, reach out to us at Wildebee.st for development needs and collaborations.

1. Incorrect Trust Store password

• Depending on the number of publish instances you have, ensure that the same password created with the Trust Store is the same as configured in the SAML Authentication Handler

2. Use a SAML tracer Chrome extension to help debug incoming data

• SAML-tracer
• SAML Chrome Panel

3. Use AEM Permission Sensitive Caching to avoid any leaking of secured cached pages. The dispatcher will check user access permission for a page before displaying the cached page.

• https://helpx.adobe.com/experience-manager/kb/PSCachingDelivery.html

Generate AEM keys and certificate:

There are numerous methods of creating private/public keys and certificates. The following is using OpenSSL.

1. Open the command terminal and run the following: (cmd creates aem.crt file)

openssl req -x509 -sha256 -days 365 -newkey rsa:4096 -keyout aem.key -out aem.crt

2. Step through the prompt and answer the questions.

pass: <password>

Country Name (2 letter code) [XX]:

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) []:

Email Address []:

3. Convert PEM to DER format

openssl rsa -in aem.key -outform der -out aem.der

4. Verify DER key

openssl rsa -in aem.der -inform der -text -noout

5. DER key to be in PKCS8

openssl pkcs8 -topk8 -inform der -nocrypt -in aem.der -outform der -out aem-pkcs8.der

Now you should have the following generated files at your disposal:

1. aem-pkcs8.der
2. aem.crt
3. aem.der
4. aem.key