Configuring AEM for Single Sign On via Azure AD

To integrate Azure AD with AEM, we need to execute following steps:

  1. Configure Azure AD Single Sign-On – to enable users to use this feature.
  2. Configure Adobe Experience Manager Single Sign-On – to configure the Single Sign-On settings on AEM .
  3. Create an Azure AD test user – to test Azure AD single sign-on.
  4. Assign the Azure AD test user – enable user to login via Azure AD single sign-on.
  5. Test single sign-on – to verify whether the configuration works.

The reference links for majority of the steps are added to their title.

The following blog shares details on Configuring AEM for Single Sign On. Link also provides details. But, few configs/screenshots have changed. Attaching the relevant details.


  1. SAML Signing Certificate downloaded from Azure AD. This would have been generated while configuring Azure AD for SSO
  2. Following details for SAML configuration:
    1. IDP URL
    2. Logout URL
    3. Attributes to identify user ID and group membership

Steps to configure AEM for SSO

Step-1: Upload SAML signing certificate

  • Open Global Navigation Menu
  • Go to Tools > Security > Trust Store
  • Click “Create Trust store” if one doesn’t exist. Provide a password that matches the password policy set on your AEM.
  • Click “Select Certificate File”, upload certificate and map it against a user.
  • Copy certificate alias. We would need it for SAML configuration.

Step-2: Create keystore for authentication-service user

  • Open Global Navigation Menu
  • Go to Tools > Security > Users
  • Search for “authentication-service
  • Create keystore. Provide a password that matches the password policy set on your AEM.
  • We would need to configure the same password in the next step for SAML config.

Step-3: Configure “Adobe Granite SAML 2.0 Authentication Handler

  • Open Global Navigation Menu
  • Go to Tools > Operations > Web Console
  • Click to add a new config for “Adobe Granite SAML 2.0 Authentication Handler”
  • Add the configurations shared by the Azure AD admin. The description about each field can be found on link.
  • The SAML configuration should look similar to

Step-4: Configure Apache Sling Referrer Filter for IDP

Configure hostname in IDP URL in “Allow Hosts”

The SAML SSO should be set-up now. Please verify your login/logout.

Additional steps for setting up SSO on Publish Instance

Step-5: Revoke anonymous access

We would need the Step 5.x, if the pages should accessible to authenticated users ONLY.

Step-5.1: Configure “Apache Sling Authentication Service”

Uncheck “Allow Anonymous Access”. Now access to the repository is only allowed if valid credentials are presented

Step 5.2: Revoke content/crx access for anonymous user

Assure that all content/crx access permissions have been revoked for “anonymous” user.

Step-6: Allow SAML URLs in dispatcher

Append following configs in filter section of your dispatcher

/0207 { /type "allow" /method "POST" /url "*/saml_login" }
/0208 { /type "allow" /method "GET" /url "/system/sling/logout" }
/0209 { /type "allow" /method "GET" /url "/system/sling/login" }

SAML links for login/logout:

You can use following links to configure login/logout buttons on pages:

Login: /system/sling/login

Logout: /system/sling/logout

SAML logs

To access SAML logs on AEM, create a DEBUG logger for “com.adobe.granite.auth.saml”


Issue-1: Logout not working

Resolution: To resolve the same we configured the IDP URL as Logout URL.

Issue-2: ‘Resource at ‘/saml_login’ not found: No resource found’ due to intermittent GET requests.

Resolution: The “saml_login” Servlet only handles POST requests. Hence, if you noticing intermittent GET requests, resulting in resource not found error, then deny GET request to “/saml_login” on Author.

Add the following filter rule to Dispatcher

/0207 { /type "deny" /method "GET" /url "*/saml_login" }

Issue-3: ‘Resource at ‘/saml_login’ not found: No resource found’ for POST requests.

Resolution: Assure that “POST” request isn’t blocked on dispatcher level. Following filter rule should be available

/0208 { /type "allow" /method "POST" /url "*/saml_login" }


One thought on “Configuring AEM for Single Sign On via Azure AD

  1. I have configured /system/sling/login on login button but when I click on login button I am getting you are blocked message from cdn. I have configured the dispatcher as mentioned above. Any ideas on this.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s