An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling

Clone this repo:
  1. 852c2f1 Upgrade to parent version 41, version 40 is affected by SLING-9972 by Robert Munteanu · 2 weeks ago master
  2. c344226 change algorithm for SAML2 token store from HmacSHA1 to HmacSHA256 by Cris Rockwell · 3 weeks ago
  3. 56ea41c update asf label by Cris Rockwell · 4 weeks ago
  4. 3e1b5b9 CI to build with Java 11 by Cris Rockwell · 4 weeks ago
  5. 0dfa1d2 add project boilerplate and update by Cris Rockwell · 4 weeks ago

Apache Sling

Build Status Test Status Coverage Sonarcloud Status Maven Central auth License

Apache Sling SAML2 Handler

An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling using OpenSAML v4 libraries


  • The SAMLRequest uses HTTP Redirect Binding, and the contained Authn Request object instructs the IDP to use HTTP Post Binding.

Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.


  • Java 11
  • Sling 11 or 12
  • An external SAML2 identity provider
  • The oak-auth-external bundle must be installed and active

User Management

User management is based on the OSGi bundle configuration and SAML2 Assertion

  • Upon successful authentication, a user is created
  • The user may be added to a JCR group membership under certain conditions:
    • This bundle has an OSGI config saml2groupMembershipAttr set with the value of the name of the SAML group membership attribute.
    • The users SAML assertion contains an attribute matching the configuration above
    • The value of the users group membership attribute is a name of an existing JCR group
  • syncAttrs can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.

Configurations, Service User and ACL's

Manual configurations set using /system/console/configMgr

Provide a Service User Mapper OSGI Config


Set up the system user “saml2-user-mgt”

  • visit Composum Users as admin
  • Create service user “saml2-user-mgt”
  • Provide an ACL rule for granting jcr:all to this user on the /home path

Provide a SAML2 OSGI Configuration