My use case is as follows,
One Service Provider (AEM) and 2 identity providers - IDP1 and IDP2. Let's assume that there is no login context / saved credentials in the SP so the SP will ask the IDP to assert the principal's (user's) credentials. In this case, IDP1 needs to first attempt to authenticate the user and if the user is not authenticated, delegate the request to IDP2 for authentication. If IDP2 is able to authenticate the user then the SP will receive the SAML response and make an access control decision else a login error screen needs to be shown.
My issues,
I cannot have 2 separate SAML authentication configurations for the same path because - one will override the other and also there will be two separate login screens / prompts displayed to the customer for each provider.
Is anyone able to provide any insight on how the above use case can be implemented in AEM 6.1?
Solved! Go to Solution.
Views
Replies
Total Likes
Hi Lokesh,
This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.
My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)
My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.
Views
Replies
Total Likes
Hi Naveen,
You can configure multiple SAML IDPs (Check the screenshot) and the order in which it would authenticate will be based on the ranking and the same can be checked in /system/console/jaas
Views
Replies
Total Likes
Hi Lokesh,
This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.
My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)
My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.
Views
Replies
Total Likes
For your usecase, you will have to write a custom authentication handler and OOB is not available
Views
Replies
Total Likes
Thanks for confirming Lokesh!
Views
Replies
Total Likes
Views
Likes
Replies