SlideShare a Scribd company logo

AEM GEMS Session SAML authentication in AEM

A
AdobeMarketingCloud

Sham Hassan Chikkegowda, CS Engineer, and Timothee Maret, Senior Developer, of Adobe provide a review of using Security Assertion Markup Language (SAML) with your Experience Manager deployments. SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. To watch the session on demand at http://bit.ly/AEMGems72016 or the MP4 version http://bit.ly/AEMGem72016

Software
1 of 30
Download to read offline
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML authentication in AEM Sham Hassan Chikkegowda Customer Support Engineer Timothee Maret Sr. Software Developer&
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Agenda •  SAML 2.0 A quick overview •  AEM & SAML Supported features •  Configurations Settings in typical deployments •  Troubleshoot How to analyze deployment issues •  Changelog Improvements in AEM 6.2 •  Q & A 2
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML 2.0 A quick overview
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Overview of SAML 2.0 §  Security Assertion Markup Language §  Open standard (OASIS) for Federated Identity implementations §  XML based Framework for exchanging authentication and authorization data across security domains §  Enables security use cases §  Seamless cross domain browsing via Web Single Sign-On (SSO) §  Attribute-Based Authorization §  Securing Web Services 4 Source: [SAMLTech]
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML Web SSO 5 Participants Use case Identity Provider (IdP) Service Provider (SP) Principal User Authenticate Provide Assert User service.foo.ch (SP1) service.bar.com (SP2) IdentityInformation Source: [SAMLTech]
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. AEM & SAML • Supported features
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML features supported in AEM SAML 2.0 standard Web Browser SSO Profile POST Binding SP & IdP initiated Single Sign-On (SSO) Single Logout Profile POST Binding SP & IdP initiated Single Log-Out (SLO) XML Signature XML Encryption 7 AEM authentication handler Auto creation of users and assignment to groups Attribute synchronization Multiple authentication handlers configurations Global and per request landing page Configurable clock drift compensation (HF 9985)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Web Browser SSO Profile 8 to /path/ending/with/saml_login Create/update repository user Sync attributes Decide resource to redirect to (landing page) Set Cookie - login-token Using Cookie: - login-token Commonly Used IdP IBM ISFIM, Oracle SSO, OKTA, Ping Federate, MS ADFS, SecureAuth, Google, Onelogin, Shiboleth, CA Siteminder, etc. Set Cookies: - saml_request_path - anchor_backup + SP identifier (e.g. req. parameter)
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security considerations (1/2) 9 Public SP Private IdP Public IdP Private SP Key provided to the SP/AEM Key provided to IdP
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security considerations (2/2) Security feature Required Description Authentication & Integrity Yes Guarantees that the received assertions to have been emit by the trusted IdP and have not been modified Achieved using XML Signature No Guarantee that the SAMLRequest has been emit by the trusted SP/AEM and the owner document has not been modified Achieved using XML Signature Confidentiality No Assertions may contain sensitive data (e.g. PII data) which must only be read by the recipient Achieved •  End to end using XML Encryption •  Point to point using TLS (HTTPS) 10
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Configurations Settings in typical deployments
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (1/4) Authentication & Integrity §  Validating the origin and validating the integrity of the assertions (mandatory) How 12 SAML auth. handler property Configuration idpCertAlias Set the alias of the IdP certificate in the global TrustStore Key Configuration Set the IdP certificate in the global TrustStorePublic IdP
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (2/4) Confidentiality §  End-to-end confidentiality by encrypting the assertions (optional) How 13 SAML auth. handler property Configuration useEncryption Check if the authentication handler expects encrypted assertions spPrivateKeyAlias Set the alias of the SP certificate in the KeyStore keyStorePassword Set the password of the ‘authentication-service’ user KeyStore Key Configuration Set the SP private key in the ‘authentication-service’ service user KeyStore Set the SP private key in the ‘authentication-service’ service user KeyStore Public SP Private SP
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (3/4) Managing cryptographic keys !  Storing SP certificates and private key in the repository under the paths /etc/key/saml/[public|idp_cert|private] is no longer supported since the release com.adobe.granite.auth.saml-0.3.26 (DOC-8250, DOC-5509) How 14 Set SP key pair in ‘authentication-service’ KeyStore 1.  Browse /libs/granite/security/content/useradmin.html 2.  Select the user ‘authentication-service’ 3.  Create the KeyStore if needed Keep the KeyStore password for property keyStorePassword of SAML authentication handler configuration 4.  Click on ‘Manage KeyStore’ 5.  Upload the SP private key and public certificate Keep the private key alias for property spPrivateKeyAlias of SAML authentication handler configuration Set IdP public key in global TrustStore 1.  Browse /libs/granite/security/content/useradmin.html 2.  Select any user 3.  Create the global TrustStore if needed 4.  Click on ‘Manage TrustStore’ 5.  Upload IdP public certificate Keep the alias for property idpCertAlias of SAML authentication handler configuration Private keys in PKCS12 or JKS format Public keys in public certificate in PKCS#12, JKS or CER format
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (4/4) Deployment behind a dispatcher/LB ! Most deployments of SSL are terminated at the load balancer or at the dispatcher and communication to AEM instance happens over HTTP How Make instances SSL context aware by configuring http://host:port/system/console/configMgr/org.apache.felix.http.sslfilter.SslFilter 15
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Auto creation of users What §  AEM can automatically create non-existing AEM users on first login §  The user identifier and properties are derived from the assertions How 16 SAML auth. handler property Configuration createUser Check to enable the feature userIDAttribute Set the name of the attribute containing the user ID Leave empty to use the Subject:NameId attribute
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Add user to groups What §  AEM can automatically assign the user to the respective groups How 17 SAML auth. handler property Configuration addGroupMemberships Check to enable the feature groupMembershipAttribute Set the name of the attribute containing a list of AEM groups this user should be added to defaultGroups Set the list of default AEM groups users are added to after successful authentication ! Attribute value is an array not a list of group names ! Make sure neither default groups OR attribute containing AEM group is administrator ! Prior to Granite-9432 SAML IdP would override any groups a user was added to manually on the AEM instance
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Attributes synchronization What §  AEM can store additional attributes from a SAML assertion in the repository (e.g. firstname, lastname, etc.) §  Synchronization happens during login How 18 SAML auth. handler property Configuration synchronizeAttributes Set the list of attribute from the SAML response to be stored at a path relative to the user node Example emailAddress=profile/email givenName=profile/givenName
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Single Log-Out (SLO) What §  AEM can close IdP and SP sessions upon logout §  IdP or SP Initiated SLO §  Attempt to logout all SP from the same session How !  Signin-out should be the same binding !  Sensitive to clock drifts (HF 9985) 19 SAML auth. handler property Configuration handleLogout Check to enable the feature logoutUrl URL of the IdP where the SAML logout request should be sent to
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Landing page What §  AEM supports specifying the path to redirect after successful login §  Narrow the focus on requested protected page How 20 SAML auth. handler property Configuration defaultRedirectUrl Set the default landing page path (only for IdP initiated login) Cookie name Value saml_request_path Use the cookie to define a request specific landing page path Order of priority 1.  Cookie (saml_request_request) 2.  SAML Authentication Handler redirect (defaultRedirectUrl) 3.  Apache Sling default redirects
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Troubleshoot How to analyze deployment issues
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Methodology SAML deployments integrate multiple services supported by heterogeneous parties (companies, teams) connected with an open standard 22 Observe message exchanged Observe logs Compare with SAML standard Identify wrong configuration Enable logging/tracing on AEM and dispatcher/LB if available Avoid encryption for debugging Record client traffic Check the pipes are clear (dispatcher, LB, etc.) Isolate Issue [SAMLBind] § 3.5 - HTTP Post Binding § 3.5.5 - Message Exchange [SAMLProf] § 4.1 - Web Browser SSO Profile § 4.4 - Single Logout Profile
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Tools On AEM §  Capture logs by enabling logging/tracing for the packages com.adobe.granite.auth.saml & org.apache.sling.auth On client §  Record browsing session in HAR file https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file §  Observe SAML messages being transferred https://addons.mozilla.org/en-US/firefox/addon/saml-tracer SAML 2.0 §  Encrypting/decrypting, signing/validating, generating, SAML messages https://www.samltool.com/encrypt.php 23
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Common mistakes •  Assertions not signed by the IdP •  Dispatcher/LB layer does not forward the saml_request_path cookie •  Missing/wrong session management with dispatcher enabling secure sessions •  IdP does not forward the saml_request_path cookie •  POST requests are cached at the dispatcher due to rewrite rules •  Consumption URL and entity id do not match •  HTTP SSL filter configuration does not retain the user in SSL protocol •  IdP does not support SLO (some don’t, refer to IdP documentation) •  IdP server & AEM server not in sync with Internet time server (Configurable clock drift helps) 24 If allowAuthorized is set to ‘0’ then add below session management section in dispatcher.any file /sessionmanagement { /directory "<path>/.sessions" /encode "md5" /header "Cookie:login-token" /timeout "800" }
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Error & resolutions Symptom Common cause HTTP ERROR: 403 Problem accessing /saml_login. Reason: Forbidden The IdP hostname is not configured in Http Referer Filter com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter Assertion not valid in time. IdP server & AEM server not in sync with Internet time server com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request It is a warning & can be ignored if not using encryption and the IdP accepts unsigned assertions com.adobe.granite.auth.saml.util.SamlReader Failed validating signature Signed SAML response signature not matching with IdP public certificate stored in AEM javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256 you are signing with a 1024-bit key but attempting to verify with a 2048-bit key AccessDeniedException One of the value of attribute containing a list of AEM groups is administrators 25
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Changelog Improvements in AEM 6.2
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Improvements in AEM 6.2 •  Release note https://docs.adobe.com/docs/en/aem/6-2/release-notes/wcm-platform.html •  SAML Handler should provide landing page in case of AEM side authentication errors GRANITE-8928 •  SAML IdP Removes Users from Groups GRANITE-9432 •  Configurable Clock drift compensation HF 11082, HF 9985 27
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. References •  SAML 2.0 Authentication Handler https://docs.adobe.com/docs/en/aem/6-2/administer/security/saml-2-0-authenticationhandler.html •  [SAMLProf] Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf •  [SAMLBind] Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf •  [SAMLTech] Security Assertion Markup Language (SAML) V2.0 Technical Overview https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf •  SAML V2.0 Executive Overview https://www.oasis-open.org/committees/download.php/13525/sstc-saml-exec-overview-2.0-cd-01-2col.pdf 28
© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Q & A 29
AEM GEMS Session SAML authentication in AEM

Recommended

AEM and Sling
AEM and SlingAEM and Sling
AEM and SlingLo Ki
 
AEM Rich Text Editor (RTE) Deep Dive
AEM Rich Text Editor (RTE) Deep DiveAEM Rich Text Editor (RTE) Deep Dive
AEM Rich Text Editor (RTE) Deep DiveHanish Bansal
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
Introduction to Sightly and Sling Models
Introduction to Sightly and Sling ModelsIntroduction to Sightly and Sling Models
Introduction to Sightly and Sling ModelsStefano Celentano
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 

Recommended

AEM and Sling
AEM and SlingAEM and Sling
AEM and SlingLo Ki
 
AEM Rich Text Editor (RTE) Deep Dive
AEM Rich Text Editor (RTE) Deep DiveAEM Rich Text Editor (RTE) Deep Dive
AEM Rich Text Editor (RTE) Deep DiveHanish Bansal
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
Introduction to Sightly and Sling Models
Introduction to Sightly and Sling ModelsIntroduction to Sightly and Sling Models
Introduction to Sightly and Sling ModelsStefano Celentano
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debateRestlet
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentGabriel Walt
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
 
Understanding Sling Models in AEM
Understanding Sling Models in AEMUnderstanding Sling Models in AEM
Understanding Sling Models in AEMAccunity Software
 
Aem authentication vs idp
Aem authentication vs idpAem authentication vs idp
Aem authentication vs idpSaroj Mishra
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAdobeMarketingCloud
 

More Related Content

What's hot

Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentGabriel Walt
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
 
Understanding Sling Models in AEM
Understanding Sling Models in AEMUnderstanding Sling Models in AEM
Understanding Sling Models in AEMAccunity Software
 

What's hot (20)

Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?
 
AEM Best Practices for Component Development
AEM Best Practices for Component DevelopmentAEM Best Practices for Component Development
AEM Best Practices for Component Development
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template Language
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
 
Understanding Sling Models in AEM
Understanding Sling Models in AEMUnderstanding Sling Models in AEM
Understanding Sling Models in AEM
 

Viewers also liked

Aem authentication vs idp
Aem authentication vs idpAem authentication vs idp
Aem authentication vs idpSaroj Mishra
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAdobeMarketingCloud
 
Regions of the United States: The Northeast
Regions of the United States: The NortheastRegions of the United States: The Northeast
Regions of the United States: The NortheastJohn Pascoe
 
HORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITION
HORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITIONHORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITION
HORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITIONSudarshan Gokhale
 
The six key steps to AEM architecture
The six key steps to AEM architectureThe six key steps to AEM architecture
The six key steps to AEM architectureAshokkumar T A
 
Solve 3 Enterprise Storage Problems Today
Solve 3 Enterprise Storage Problems TodaySolve 3 Enterprise Storage Problems Today
Solve 3 Enterprise Storage Problems TodayStephen Foskett
 
Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...
Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...
Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...Vivastream
 
Renesas RL78 The True Low Power Microcontroller Platform
Renesas RL78 The True Low Power Microcontroller Platform Renesas RL78 The True Low Power Microcontroller Platform
Renesas RL78 The True Low Power Microcontroller PlatformRenesas Electronics Corporation
 
How to refill canon color cartridge 241
How to refill canon color cartridge 241How to refill canon color cartridge 241
How to refill canon color cartridge 241printerfillingstation
 
An Introduction to Faye
An Introduction to FayeAn Introduction to Faye
An Introduction to FayeDarren Oakley
 
Summary -Fish
Summary -FishSummary -Fish
Summary -FishGMR Group
 
Intermediate Colors
Intermediate ColorsIntermediate Colors
Intermediate Colorsartoutman
 
How to Make the Inc 500 List
How to Make the Inc 500 ListHow to Make the Inc 500 List
How to Make the Inc 500 ListHubSpot
 
Analytics Solutions from SAP
Analytics Solutions from SAPAnalytics Solutions from SAP
Analytics Solutions from SAPSAP Analytics
 
Friendship’s coupons
Friendship’s couponsFriendship’s coupons
Friendship’s couponsClarice J
 

Viewers also liked (20)

Aem authentication vs idp
Aem authentication vs idpAem authentication vs idp
Aem authentication vs idp
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene Indexes
 
Regions of the United States: The Northeast
Regions of the United States: The NortheastRegions of the United States: The Northeast
Regions of the United States: The Northeast
 
HORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITION
HORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITIONHORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITION
HORMONAL REGULATION OF OVULATION,PREGNANCY,PARTURITION
 
Project Scheduling
Project SchedulingProject Scheduling
Project Scheduling
 
The six key steps to AEM architecture
The six key steps to AEM architectureThe six key steps to AEM architecture
The six key steps to AEM architecture
 
Strengths in the addie model
Strengths in the addie modelStrengths in the addie model
Strengths in the addie model
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Solve 3 Enterprise Storage Problems Today
Solve 3 Enterprise Storage Problems TodaySolve 3 Enterprise Storage Problems Today
Solve 3 Enterprise Storage Problems Today
 
Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...
Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...
Integrated Lifecycle Marketing Workshop: Emerging Channels for Email List Bui...
 
Ambienti di virtualizzazione
Ambienti di virtualizzazioneAmbienti di virtualizzazione
Ambienti di virtualizzazione
 
Renesas RL78 The True Low Power Microcontroller Platform
Renesas RL78 The True Low Power Microcontroller Platform Renesas RL78 The True Low Power Microcontroller Platform
Renesas RL78 The True Low Power Microcontroller Platform
 
Enterprise TEPPCO Pipeline System Map
Enterprise TEPPCO Pipeline System MapEnterprise TEPPCO Pipeline System Map
Enterprise TEPPCO Pipeline System Map
 
How to refill canon color cartridge 241
How to refill canon color cartridge 241How to refill canon color cartridge 241
How to refill canon color cartridge 241
 
An Introduction to Faye
An Introduction to FayeAn Introduction to Faye
An Introduction to Faye
 
Summary -Fish
Summary -FishSummary -Fish
Summary -Fish
 
Intermediate Colors
Intermediate ColorsIntermediate Colors
Intermediate Colors
 
How to Make the Inc 500 List
How to Make the Inc 500 ListHow to Make the Inc 500 List
How to Make the Inc 500 List
 
Analytics Solutions from SAP
Analytics Solutions from SAPAnalytics Solutions from SAP
Analytics Solutions from SAP
 
Friendship’s coupons
Friendship’s couponsFriendship’s coupons
Friendship’s coupons
 

Similar to AEM GEMS Session SAML authentication in AEM

Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Amazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCloudIDSummit
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksAmazon Web Services
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day OneAmazon Web Services
 

Similar to AEM GEMS Session SAML authentication in AEM (20)

test-sgsgsgs.pptx
test-sgsgsgs.pptxtest-sgsgsgs.pptx
test-sgsgsgs.pptx
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
AWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - SecurityAWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - Security
 
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIs
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
 
AWS
AWSAWS
AWS
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications
SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications
SAP HANA Cloud – Virtual Bootcamp Securing SAP HANA Cloud Applications
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACS
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 

More from AdobeMarketingCloud

Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016AdobeMarketingCloud
 
Ask the expert AEM Assets best practices 092016
Ask the expert AEM Assets best practices 092016Ask the expert AEM Assets best practices 092016
Ask the expert AEM Assets best practices 092016AdobeMarketingCloud
 
AEM GEMS Session Template Editor Sept 14 2016
AEM GEMS Session Template Editor Sept 14 2016AEM GEMS Session Template Editor Sept 14 2016
AEM GEMS Session Template Editor Sept 14 2016AdobeMarketingCloud
 
Immerse 2016 Efficient publishing with content fragments
Immerse 2016 Efficient publishing with content fragmentsImmerse 2016 Efficient publishing with content fragments
Immerse 2016 Efficient publishing with content fragmentsAdobeMarketingCloud
 
IMMERSE 2016 Introducing content fragments
IMMERSE 2016 Introducing content fragmentsIMMERSE 2016 Introducing content fragments
IMMERSE 2016 Introducing content fragmentsAdobeMarketingCloud
 
IMMERSE 2016 Cedric Huesler US Keynote
IMMERSE 2016 Cedric Huesler US KeynoteIMMERSE 2016 Cedric Huesler US Keynote
IMMERSE 2016 Cedric Huesler US KeynoteAdobeMarketingCloud
 
IMMERSE 2016 IST Mark Szulc Keynote
IMMERSE 2016 IST Mark Szulc KeynoteIMMERSE 2016 IST Mark Szulc Keynote
IMMERSE 2016 IST Mark Szulc KeynoteAdobeMarketingCloud
 
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudIMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudAdobeMarketingCloud
 
IMMERSE'16 Introduction to AEM Tooling
IMMERSE'16 Introduction to AEM ToolingIMMERSE'16 Introduction to AEM Tooling
IMMERSE'16 Introduction to AEM ToolingAdobeMarketingCloud
 
Introduction to Adobe Experience Manager based e commerce
Introduction to Adobe Experience Manager based e commerceIntroduction to Adobe Experience Manager based e commerce
Introduction to Adobe Experience Manager based e commerceAdobeMarketingCloud
 
IMMERSE'16 Introduction to adobe experience manager back end
IMMERSE'16 Introduction to adobe experience manager back endIMMERSE'16 Introduction to adobe experience manager back end
IMMERSE'16 Introduction to adobe experience manager back endAdobeMarketingCloud
 
Ask the AEM Community Expert Feb 2016 Session: AEM + Brackets
Ask the AEM Community Expert Feb 2016 Session: AEM + BracketsAsk the AEM Community Expert Feb 2016 Session: AEM + Brackets
Ask the AEM Community Expert Feb 2016 Session: AEM + BracketsAdobeMarketingCloud
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMAdobeMarketingCloud
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMAdobeMarketingCloud
 

More from AdobeMarketingCloud (14)

Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016
 
Ask the expert AEM Assets best practices 092016
Ask the expert AEM Assets best practices 092016Ask the expert AEM Assets best practices 092016
Ask the expert AEM Assets best practices 092016
 
AEM GEMS Session Template Editor Sept 14 2016
AEM GEMS Session Template Editor Sept 14 2016AEM GEMS Session Template Editor Sept 14 2016
AEM GEMS Session Template Editor Sept 14 2016
 
Immerse 2016 Efficient publishing with content fragments
Immerse 2016 Efficient publishing with content fragmentsImmerse 2016 Efficient publishing with content fragments
Immerse 2016 Efficient publishing with content fragments
 
IMMERSE 2016 Introducing content fragments
IMMERSE 2016 Introducing content fragmentsIMMERSE 2016 Introducing content fragments
IMMERSE 2016 Introducing content fragments
 
IMMERSE 2016 Cedric Huesler US Keynote
IMMERSE 2016 Cedric Huesler US KeynoteIMMERSE 2016 Cedric Huesler US Keynote
IMMERSE 2016 Cedric Huesler US Keynote
 
IMMERSE 2016 IST Mark Szulc Keynote
IMMERSE 2016 IST Mark Szulc KeynoteIMMERSE 2016 IST Mark Szulc Keynote
IMMERSE 2016 IST Mark Szulc Keynote
 
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing CloudIMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
IMMERSE'16 Intro to Adobe Experience Manager & Adobe Marketing Cloud
 
IMMERSE'16 Introduction to AEM Tooling
IMMERSE'16 Introduction to AEM ToolingIMMERSE'16 Introduction to AEM Tooling
IMMERSE'16 Introduction to AEM Tooling
 
Introduction to Adobe Experience Manager based e commerce
Introduction to Adobe Experience Manager based e commerceIntroduction to Adobe Experience Manager based e commerce
Introduction to Adobe Experience Manager based e commerce
 
IMMERSE'16 Introduction to adobe experience manager back end
IMMERSE'16 Introduction to adobe experience manager back endIMMERSE'16 Introduction to adobe experience manager back end
IMMERSE'16 Introduction to adobe experience manager back end
 
Ask the AEM Community Expert Feb 2016 Session: AEM + Brackets
Ask the AEM Community Expert Feb 2016 Session: AEM + BracketsAsk the AEM Community Expert Feb 2016 Session: AEM + Brackets
Ask the AEM Community Expert Feb 2016 Session: AEM + Brackets
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEM
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEM
 

Recently uploaded

Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfMeon Technology
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILNatan Silnitsky
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion Clinic
 

Recently uploaded (20)

Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 

AEM GEMS Session SAML authentication in AEM

  • 1. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML authentication in AEM Sham Hassan Chikkegowda Customer Support Engineer Timothee Maret Sr. Software Developer&
  • 2. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Agenda •  SAML 2.0 A quick overview •  AEM & SAML Supported features •  Configurations Settings in typical deployments •  Troubleshoot How to analyze deployment issues •  Changelog Improvements in AEM 6.2 •  Q & A 2
  • 3. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML 2.0 A quick overview
  • 4. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Overview of SAML 2.0 §  Security Assertion Markup Language §  Open standard (OASIS) for Federated Identity implementations §  XML based Framework for exchanging authentication and authorization data across security domains §  Enables security use cases §  Seamless cross domain browsing via Web Single Sign-On (SSO) §  Attribute-Based Authorization §  Securing Web Services 4 Source: [SAMLTech]
  • 5. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML Web SSO 5 Participants Use case Identity Provider (IdP) Service Provider (SP) Principal User Authenticate Provide Assert User service.foo.ch (SP1) service.bar.com (SP2) IdentityInformation Source: [SAMLTech]
  • 6. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. AEM & SAML • Supported features
  • 7. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SAML features supported in AEM SAML 2.0 standard Web Browser SSO Profile POST Binding SP & IdP initiated Single Sign-On (SSO) Single Logout Profile POST Binding SP & IdP initiated Single Log-Out (SLO) XML Signature XML Encryption 7 AEM authentication handler Auto creation of users and assignment to groups Attribute synchronization Multiple authentication handlers configurations Global and per request landing page Configurable clock drift compensation (HF 9985)
  • 8. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Web Browser SSO Profile 8 to /path/ending/with/saml_login Create/update repository user Sync attributes Decide resource to redirect to (landing page) Set Cookie - login-token Using Cookie: - login-token Commonly Used IdP IBM ISFIM, Oracle SSO, OKTA, Ping Federate, MS ADFS, SecureAuth, Google, Onelogin, Shiboleth, CA Siteminder, etc. Set Cookies: - saml_request_path - anchor_backup + SP identifier (e.g. req. parameter)
  • 9. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security considerations (1/2) 9 Public SP Private IdP Public IdP Private SP Key provided to the SP/AEM Key provided to IdP
  • 10. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security considerations (2/2) Security feature Required Description Authentication & Integrity Yes Guarantees that the received assertions to have been emit by the trusted IdP and have not been modified Achieved using XML Signature No Guarantee that the SAMLRequest has been emit by the trusted SP/AEM and the owner document has not been modified Achieved using XML Signature Confidentiality No Assertions may contain sensitive data (e.g. PII data) which must only be read by the recipient Achieved •  End to end using XML Encryption •  Point to point using TLS (HTTPS) 10
  • 11. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Configurations Settings in typical deployments
  • 12. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (1/4) Authentication & Integrity §  Validating the origin and validating the integrity of the assertions (mandatory) How 12 SAML auth. handler property Configuration idpCertAlias Set the alias of the IdP certificate in the global TrustStore Key Configuration Set the IdP certificate in the global TrustStorePublic IdP
  • 13. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (2/4) Confidentiality §  End-to-end confidentiality by encrypting the assertions (optional) How 13 SAML auth. handler property Configuration useEncryption Check if the authentication handler expects encrypted assertions spPrivateKeyAlias Set the alias of the SP certificate in the KeyStore keyStorePassword Set the password of the ‘authentication-service’ user KeyStore Key Configuration Set the SP private key in the ‘authentication-service’ service user KeyStore Set the SP private key in the ‘authentication-service’ service user KeyStore Public SP Private SP
  • 14. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (3/4) Managing cryptographic keys !  Storing SP certificates and private key in the repository under the paths /etc/key/saml/[public|idp_cert|private] is no longer supported since the release com.adobe.granite.auth.saml-0.3.26 (DOC-8250, DOC-5509) How 14 Set SP key pair in ‘authentication-service’ KeyStore 1.  Browse /libs/granite/security/content/useradmin.html 2.  Select the user ‘authentication-service’ 3.  Create the KeyStore if needed Keep the KeyStore password for property keyStorePassword of SAML authentication handler configuration 4.  Click on ‘Manage KeyStore’ 5.  Upload the SP private key and public certificate Keep the private key alias for property spPrivateKeyAlias of SAML authentication handler configuration Set IdP public key in global TrustStore 1.  Browse /libs/granite/security/content/useradmin.html 2.  Select any user 3.  Create the global TrustStore if needed 4.  Click on ‘Manage TrustStore’ 5.  Upload IdP public certificate Keep the alias for property idpCertAlias of SAML authentication handler configuration Private keys in PKCS12 or JKS format Public keys in public certificate in PKCS#12, JKS or CER format
  • 15. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Security (4/4) Deployment behind a dispatcher/LB ! Most deployments of SSL are terminated at the load balancer or at the dispatcher and communication to AEM instance happens over HTTP How Make instances SSL context aware by configuring http://host:port/system/console/configMgr/org.apache.felix.http.sslfilter.SslFilter 15
  • 16. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Auto creation of users What §  AEM can automatically create non-existing AEM users on first login §  The user identifier and properties are derived from the assertions How 16 SAML auth. handler property Configuration createUser Check to enable the feature userIDAttribute Set the name of the attribute containing the user ID Leave empty to use the Subject:NameId attribute
  • 17. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Add user to groups What §  AEM can automatically assign the user to the respective groups How 17 SAML auth. handler property Configuration addGroupMemberships Check to enable the feature groupMembershipAttribute Set the name of the attribute containing a list of AEM groups this user should be added to defaultGroups Set the list of default AEM groups users are added to after successful authentication ! Attribute value is an array not a list of group names ! Make sure neither default groups OR attribute containing AEM group is administrator ! Prior to Granite-9432 SAML IdP would override any groups a user was added to manually on the AEM instance
  • 18. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Attributes synchronization What §  AEM can store additional attributes from a SAML assertion in the repository (e.g. firstname, lastname, etc.) §  Synchronization happens during login How 18 SAML auth. handler property Configuration synchronizeAttributes Set the list of attribute from the SAML response to be stored at a path relative to the user node Example emailAddress=profile/email givenName=profile/givenName
  • 19. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Single Log-Out (SLO) What §  AEM can close IdP and SP sessions upon logout §  IdP or SP Initiated SLO §  Attempt to logout all SP from the same session How !  Signin-out should be the same binding !  Sensitive to clock drifts (HF 9985) 19 SAML auth. handler property Configuration handleLogout Check to enable the feature logoutUrl URL of the IdP where the SAML logout request should be sent to
  • 20. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Landing page What §  AEM supports specifying the path to redirect after successful login §  Narrow the focus on requested protected page How 20 SAML auth. handler property Configuration defaultRedirectUrl Set the default landing page path (only for IdP initiated login) Cookie name Value saml_request_path Use the cookie to define a request specific landing page path Order of priority 1.  Cookie (saml_request_request) 2.  SAML Authentication Handler redirect (defaultRedirectUrl) 3.  Apache Sling default redirects
  • 21. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Troubleshoot How to analyze deployment issues
  • 22. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Methodology SAML deployments integrate multiple services supported by heterogeneous parties (companies, teams) connected with an open standard 22 Observe message exchanged Observe logs Compare with SAML standard Identify wrong configuration Enable logging/tracing on AEM and dispatcher/LB if available Avoid encryption for debugging Record client traffic Check the pipes are clear (dispatcher, LB, etc.) Isolate Issue [SAMLBind] § 3.5 - HTTP Post Binding § 3.5.5 - Message Exchange [SAMLProf] § 4.1 - Web Browser SSO Profile § 4.4 - Single Logout Profile
  • 23. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Tools On AEM §  Capture logs by enabling logging/tracing for the packages com.adobe.granite.auth.saml & org.apache.sling.auth On client §  Record browsing session in HAR file https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file §  Observe SAML messages being transferred https://addons.mozilla.org/en-US/firefox/addon/saml-tracer SAML 2.0 §  Encrypting/decrypting, signing/validating, generating, SAML messages https://www.samltool.com/encrypt.php 23
  • 24. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Common mistakes •  Assertions not signed by the IdP •  Dispatcher/LB layer does not forward the saml_request_path cookie •  Missing/wrong session management with dispatcher enabling secure sessions •  IdP does not forward the saml_request_path cookie •  POST requests are cached at the dispatcher due to rewrite rules •  Consumption URL and entity id do not match •  HTTP SSL filter configuration does not retain the user in SSL protocol •  IdP does not support SLO (some don’t, refer to IdP documentation) •  IdP server & AEM server not in sync with Internet time server (Configurable clock drift helps) 24 If allowAuthorized is set to ‘0’ then add below session management section in dispatcher.any file /sessionmanagement { /directory "<path>/.sessions" /encode "md5" /header "Cookie:login-token" /timeout "800" }
  • 25. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Error & resolutions Symptom Common cause HTTP ERROR: 403 Problem accessing /saml_login. Reason: Forbidden The IdP hostname is not configured in Http Referer Filter com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter Assertion not valid in time. IdP server & AEM server not in sync with Internet time server com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request It is a warning & can be ignored if not using encryption and the IdP accepts unsigned assertions com.adobe.granite.auth.saml.util.SamlReader Failed validating signature Signed SAML response signature not matching with IdP public certificate stored in AEM javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256 you are signing with a 1024-bit key but attempting to verify with a 2048-bit key AccessDeniedException One of the value of attribute containing a list of AEM groups is administrators 25
  • 26. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Changelog Improvements in AEM 6.2
  • 27. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Improvements in AEM 6.2 •  Release note https://docs.adobe.com/docs/en/aem/6-2/release-notes/wcm-platform.html •  SAML Handler should provide landing page in case of AEM side authentication errors GRANITE-8928 •  SAML IdP Removes Users from Groups GRANITE-9432 •  Configurable Clock drift compensation HF 11082, HF 9985 27
  • 28. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. References •  SAML 2.0 Authentication Handler https://docs.adobe.com/docs/en/aem/6-2/administer/security/saml-2-0-authenticationhandler.html •  [SAMLProf] Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf •  [SAMLBind] Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf •  [SAMLTech] Security Assertion Markup Language (SAML) V2.0 Technical Overview https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf •  SAML V2.0 Executive Overview https://www.oasis-open.org/committees/download.php/13525/sstc-saml-exec-overview-2.0-cd-01-2col.pdf 28
  • 29. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Q & A 29