Apache Sling SAML2 Handler
An OSGi bundle that provides a SAML2 Web Profile Service Provider Authentication for Apache Sling using OpenSAML v4 libraries
- The SAMLRequest uses HTTP Redirect Binding, and the contained Authn Request object instructs the IDP to use HTTP Post Binding.
Sling applications may authenticate users against an Identity Provider (idp) such as Keycloak Server or Shibboleth IDP.
- Java 11
- Sling 11 or 12
- An external SAML2 identity provider
- The oak-auth-external bundle must be installed and active
User management is based on the OSGi bundle configuration and SAML2 Assertion
- Upon successful authentication, a user is created
- The user may be added to a JCR group membership under certain conditions:
- This bundle has an OSGI config
saml2groupMembershipAttr set with the value of the name of the SAML group membership attribute.
- The users SAML assertion contains an attribute matching the configuration above
- The value of the users group membership attribute is a name of an existing JCR group
syncAttrs can be used to synchronize user properties released by the IDP for profile properties such as given name, family name, email, and phone.
Configurations, Service User and ACL's
Manual configurations set using /system/console/configMgr
Provide a Service User Mapper OSGI Config
Set up the system user “saml2-user-mgt”
- visit Composum Users as admin
- Create service user “saml2-user-mgt”
- Provide an ACL rule for granting
jcr:all to this user on the
Provide a SAML2 OSGI Configuration