SSO/SAML on AEM Publisher | Community
Skip to main content
J
joed62279101
Level 2
October 16, 2015
Solved

SSO/SAML on AEM Publisher

  • October 16, 2015
  • 4 replies
  • 3819 views

I am currently working on implementing an asset manager using Adobe AEM 5.6.1 DAM and want to use the Asset Share and Asset Editor templates on publisher. Our client however needs these pages to be secure and restrict access to users who authenticate through a SAML-based SSO product. The SAM authentication handler configuration on Author instances is pretty straight forward but when attempting to do the same on publisher it does not work. The default behavior when using Asset Share page on publisher is that it redirects to the geometrix login (not AEM) page. I understand that this can be changed to a different page but I need it to redirect to the IdP login screen. When I configue the SAML authentication handler on publisher with the same exact parameters that work on author I not only am not redirected to the IdP to enter credentials, but I am not prompted for any authentication at all.

Is there a setting or something that I am missing somewhere on a publisher instances to enable the SAML authentication handler the same way it works on an author instance?

Any help and advice would be greatly appreciated.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by tiffanyhmwong

"Authentication Required" being set to No means that you're allowing anonymous login to the path specified, which is the default in publish. If you want to enforce login at a specific path, say /content/dam/clientdam, you can configure it in the Sling Authentication Service by adding +/content/dam/clientdam to the authentication requirements.

More about anonymous login with Sling authentication here: http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#anonymous-login

4 replies

Sham_HC
Sham_HC
Level 10
October 16, 2015

Configuration is same as author & no additional things required. Seems like other authentication handler may be picked. Change the service ranking of saml authentication handler and verify at http://localhost:4503/system/console/slingauth

J
joed62279101Author
Level 2
October 16, 2015

Sham HC wrote...

Configuration is same as author & no additional things required. Seems like other authentication handler may be picked. Change the service ranking of saml authentication handler and verify at http://localhost:4503/system/console/slingauth

 

Thank you for your response but I had tried that. The slingauth does show the SAML Authentication handler above the Day CQ Login selector authenticator. I have even tried disabling the Day CQ Login selector authenticator entirely and still I am never prompted for credentials when I access http://localhost:4503/content/dam/clientdam/assetshare.html (which is an instance of the assetshare page).

Looking at the Authentication Requirement Configuration in the slingauth config I see that on publisher that Authentication required is set to No in there but on Author it has different settings and some things have a Yes for Authentication required. Do I need to change something there and if so how?

Thanks in advance..

T
tiffanyhmwongAccepted solution
October 16, 2015

"Authentication Required" being set to No means that you're allowing anonymous login to the path specified, which is the default in publish. If you want to enforce login at a specific path, say /content/dam/clientdam, you can configure it in the Sling Authentication Service by adding +/content/dam/clientdam to the authentication requirements.

More about anonymous login with Sling authentication here: http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#anonymous-login

J
joed62279101Author
Level 2
October 16, 2015

Tiffany Wong wrote...

"Authentication Required" being set to No means that you're allowing anonymous login to the path specified, which is the default in publish. If you want to enforce login at a specific path, say /content/dam/clientdam, you can configure it in the Sling Authentication Service by adding +/content/dam/clientdam to the authentication requirements.

More about anonymous login with Sling authentication here: http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#anonymous-login

 

I can't thank you enough! That is exactly what I overlooked when looking at all of the other configuration settings on my publisher for authentication. That did the trick. 

Terms & ConditionsAccessibility statement

Loading footer...