HomeIntegrations & Platform Patterns › SSO & SAML overview

SSO & SAML overview

Purpose: Understand how enterprise SSO attaches to AEM author (and authenticated publish sites) at a working-knowledge level.

Who this page is for

AudienceWhy it matters to you
All engineersLogin mechanics awareness
Platform engineersConfiguration owners

Author SSO (the common case)

AEM ships a SAML 2.0 authentication handler. The flow:

Browser → AEM author → (no session) → redirect to IdP (corporate SSO)
        ← SAML assertion (POST /saml_login) ←
AEM validates signature → creates/updates user → group sync from assertion → session
Config concernWhere
SAML handler (IdP URL, certificate, attribute mapping)OSGi config per environment
IdP certificateTruststore (Granite)
Auto-create users & map IdP groups → AEM groupsHandler config — this is where permissions actually happen
Fallback local login/libs/granite/core/content/login.html?resource=… (break-glass admin)

Group mapping is the part engineers get asked about: users get AEM permissions via groups that the assertion's group attribute maps onto. "I can't see X" after SSO usually = missing group in the IdP or mapping config.

Authenticated publish (member portals)

Same handler can protect publish. Delivery consequences dominate the design:

Rules

Quick navigation