SAML Authentication generates anonymous user session instead of authenticated user | Community
Skip to main content
C
courtthreeGDC
Level 3
April 1, 2019

SAML Authentication generates anonymous user session instead of authenticated user

  • April 1, 2019
  • 1 reply
  • 11802 views

Hi everyone,

We have done a successful integration of Okta with our 6.2 instance of AEM via the OOTB SAML Authentication handler.

The integration works great when executed directly on our publish instance via port 4503. However, when we perform the same actions via the dispatcher, the authenticated user session is not available in code. When we try to access the user, we find that, even though the new user is successfully created in the CRX via the SAML integration, the active user session is of the anonymous user - not the user we just authenticated!

Of course, I need to assume that there is a misconfiguration in the dispatcher but I could do with a steer of where to look for something that could be causing this behaviour.

Any thoughts welcome as always and thank you in advance for your time.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

U
Adobe Employee
user05162Adobe Employee
Adobe Employee
April 3, 2019

Can you check if CSRF settings are correct on dispatcher[1]

Also make sure POST request to */saml_login is allowed

[1] Configuring Dispatcher to Prevent CSRF Attacks

C
courtthreeGDCAuthor
Level 3
April 12, 2019

Hi Jaideep,

Thank you for picking this up mate. I have followed your instructions to the letter but to no avail. We are still experiencing the same issue. FYR, a quick snippet of the code we're using to pick up the user is as follows:

resourceResolver = request.getResourceResolver();

Session session = resourceResolver.adaptTo(Session.class);

UserManager userManager = resourceResolver.adaptTo(UserManager.class);

Authorizable auth = userManager.getAuthorizable(session.getUserID());

log.info("user path " + auth.getPath());

String userCookie = cookieSetterService.setTheCookie(auth);

So, you see, it's nothing unusual and, like I said, it works directly on the publish instance. Do you have any further thoughts?

Gaurav-Behl
Gaurav-Behl
Level 10
April 12, 2019

couple of pointers:

1) validate the referrer header is set to Okta's host name and header is allowed in dispatcher.any

2) allowauthorized is set to 0 and session is enabled  -- assuming you want that

3) On publish, CSRF and Sling Referrer filter have appropriate configs for Okta's host/method or allow empty for testing

/sessionmanagement

  {

  /directory "/usr/local/apache/.sessions"

  /encode "md5"

  /header "HTTP:authorization"

  /timeout "800"

  }

Configuring Dispatcher

Single Sign-On (SSO) Integration With Okta In AEM 6.3 | Bounteous

https://www.albinsblog.com/2017/03/how-to-protect-content-from-anonymous-saml-cq5-aem.html#.XLCeYehKh3g

Terms & ConditionsAccessibility statement

Loading footer...