Adobe Experience Manager Sites & More

Naveen_AEM_dev · 12:56:47 PM

My use case is as follows,

One Service Provider (AEM) and 2 identity providers - IDP1 and IDP2. Let's assume that there is no login context / saved credentials in the SP so the SP will ask the IDP to assert the principal's (user's) credentials. In this case, IDP1 needs to first attempt to authenticate the user and if the user is not authenticated, delegate the request to IDP2 for authentication. If IDP2 is able to authenticate the user then the SP will receive the SAML response and make an access control decision else a login error screen needs to be shown.

My issues,

I cannot have 2 separate SAML authentication configurations for the same path because - one will override the other and also there will be two separate login screens / prompts displayed to the customer for each provider.

Is anyone able to provide any insight on how the above use case can be implemented in AEM 6.1?

Naveen_AEM_dev · 4:51:32 PM

Hi Lokesh,

This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.

My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)

My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.

원본 게시물의 솔루션 보기

Lokesh_Shivalingaiah · 7:54:17 PM

Hi Naveen,

You can configure multiple SAML IDPs (Check the screenshot) and the order in which it would authenticate will be based on the ranking and the same can be checked in /system/console/jaas

Naveen_AEM_dev · 4:51:32 PM

Hi Lokesh,

This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.

My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)

My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.

Lokesh_Shivalingaiah · 8:27:47 PM

For your usecase, you will have to write a custom authentication handler and OOB is not available

Naveen_AEM_dev · 11:30:14 PM

Thanks for confirming Lokesh!

Adobe Experience Manager Sites & More

AEM 6.1 | SAML Multiple Identity providers

학습

기술 문서

이벤트

커뮤니티

고객 지원

리소스

Adobe 계정

Adobe