Expand my Community achievements bar.

AEM 6 - SSO Authnetication and Default Sync Handler

Avatar

Level 2

Hi all,

My system is currently designed such that users are authenticated against an external Access Manager, which upon successful authentication redirects to AEM. Within AEM I have the Adobe Granite SSO Authentication Handler configured to trust the authenticated requests.

I have also configured the Apache Jackrabbit Oak LDAP Identity Provider to connect to LDAP, the Apache Jackrabbit Oak Default Sync Handler for sync-ing users and groups from LDAP every 5 minutes and the Apache Jackrabbit Oak External Login Module.

The behavior I am expecting is that once the user is authenticated by the access manager and re-directed to AEM, the SSO Authentication handler will find the necessary header parameters and trust the pre-authenticated user. Also since I have the Default sync handler configured, the trusted user's properties and memberships will be synced if the rep:lastSynced date has expired.

The SSO Authentication handler behaves as expected each time by trusting the authenticated users. However, the sync handler doesn't get invoked each time. In fact it gets invoked only when the user is logging in for the first time. This means that the sync happens only when the user's node doesn't already exist is AEM. Once the node is created, I don't see the DefaultSyncHandler attempting to check the rep:lastSynced property and sync.

Interestingly this happens only when the SSO authentication is used. If I use the default Token authentication using the configured External Login Module, the sync handler gets invoked each time.

Anybody got any views, why this could be happening?

-kunal

2 Replies

Avatar

Level 2

Hello Kunal,

We have the complete similiar problem like you with SSO Authentication and Default Sync Handler. One time synchronized users will never get updated. Did you find a solution to invoke the sync handler after initial login again?

Jens

Avatar

Level 2

Hi Jens,

We contacted Adobe to find out if they had a solution for this scenario, but didn't find much help. I ended up writing a custom authentication post processor which synchronized the user information post login. This wasn't the most desirable solution as it involved a lot of custom coding and we did end up facing some race condition issues during the user info sync.

We eventually ended up upgrading to AEM 6.2 and moving to a SAML based SSO, thus overcoming the issue. Hope this helps

 

-kunal