Expand my Community achievements bar.

SOLVED

AEM 6.1 | SAML Multiple Identity providers

Avatar

Level 4
Level 4
3/2/16 12:56:47 PM

My use case is as follows,

One Service Provider (AEM) and 2 identity providers - IDP1 and IDP2. Let's assume that there is no login context / saved credentials in the SP so the SP will ask the IDP to assert the principal's (user's) credentials. In this case, IDP1 needs to first attempt to authenticate the user and if the user is not authenticated, delegate the request to IDP2 for authentication. If IDP2 is able to authenticate the user then the SP will receive the SAML response and make an access control decision else a login error screen needs to be shown.

My issues,

I cannot have 2 separate SAML authentication configurations for the same path because - one will override the other and also there will be two separate login screens / prompts displayed to the customer for each provider.

Is anyone able to provide any insight on how the above use case can be implemented in AEM 6.1?

Views

2.7K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
3/3/16 4:51:32 PM

Hi Lokesh,

This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.

My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)

My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.

View solution in original post

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 10
Level 10
3/2/16 7:54:17 PM

Hi Naveen,

You can configure multiple SAML IDPs (Check the screenshot) and the order in which it would authenticate will be based on the ranking and the same can be checked in  /system/console/jaas

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
3/3/16 4:51:32 PM

Hi Lokesh,

This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.

My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)

My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 10
Level 10
3/3/16 8:27:47 PM

For your usecase, you will have to write a custom authentication handler and OOB is not available

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate