SAML login is setting 2 saml_request_path cookie | Community
Skip to main content
C
ChangAh
New Member
May 4, 2022

SAML login is setting 2 saml_request_path cookie

  • May 4, 2022
  • 1 reply
  • 1487 views

I have created a custom AuthenticationInfoPostProcessor service so that I could sent saml_request_path  and redirect the authenticated user to the appropriate page.   However, after authentication (i.e.after /saml_login request), there are 2 saml_request_path  set in the response - one set to the value I'm setting in the custom AuthenticationInfoPostProcessor service and one with a value of null.  The saml_request_path  with null value redirects to my homepage.

 

How do I set saml_request_path so that the user is redirected to the appropriate page?  How do I prevent the second saml_request_path  cookie from being added?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

JeevanRaj
Community Advisor
JeevanRajCommunity Advisor
Community Advisor
May 5, 2022

Hi @changah 

 

I had previously worked on a similar requirement. The saml_request_path cookie is originally set in org.apache.sling.auth.core.spi.AuthenticationHandler. So avoid setting it in AuthenticationInfoPostProcessor.

 

What you can do is create a loginHook which implements AuthenticationHandler and override requestCredentials method. Set your saml_request_path inside this method.

 

@Override
public boolean requestCredentials(final HttpServletRequest httpServletRequest,
        final HttpServletResponse httpServletResponse) throws IOException {
    final int expiryTime = 60 * 60 * 60 * 24;
    LOGGER.debug("Login hook initialized");
    String pagePath = httpServletRequest.getRequestURI();

    String queryString = httpServletRequest.getQueryString();
    CookieUtil.addCookie(
            ServletUtil.createCookie("saml_request_path", pagePath, true, expiryTime, null, "/", false),
            httpServletResponse);

    return wrappedAuthHandler.requestCredentials(httpServletRequest, httpServletResponse);
}

The above solution worked for me for this exact requirement. Hope it helps you too.

 

https://github.com/Adobe-Consulting-Services/acs-aem-samples/blob/master/core/src/main/java/com/adobe/acs/samples/authentication/impl/SampleLoginHookAuthenticationHandler.java

 

Regards,

Jeevan 

    C
    ChangAhAuthor
    New Member
    May 6, 2022

    Hi @jeevanraj.  Thanks for the suggestion.  I implemented the login hook and some logging.  I don't see requestCredentials during login.  Most of our site does not require login.  I assume requestCredentials method is only called when a page requires authentication, correct?

     

    Is there a way to prevent AuthenticationHandler from setting saml_request_path cookie so that I can set it using a different method (e.g. sling request filter)?  

      Terms & ConditionsAccessibility statement

      Loading footer...