AEM Custom Saml Authentication Handler | Community
Skip to main content
P
Pradeep_VarmaPe
July 1, 2024

AEM Custom Saml Authentication Handler

  • July 1, 2024
  • 4 replies
  • 1959 views

We are trying to extend OOTB AEM com.adobe.granite.auth.saml.SamlAuthenticationHandler, but since this bundle does not have any exported packages in AEM . We are not able to extend the functionality. 

public class CustomSamlAuthHandler extends SamlAuthenticationHandler {

        protected AuthnRequest createAuthnRequest() {
                AuthnRequest authnRequest = super.createAuthnRequest();

                //update AuthRequest
                return authnRequest;
        }

}

 @arunpatidar 

 @pavan_ainampudi 

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    4 replies

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    July 1, 2024

    Hi @pradeep_varmape 
    Can you please check this 

    https://medium.com/@lars.auffarth/building-an-aem-custom-authentication-handler-for-okta-openid-connect-2d9d42c0161

     

    I just tried with ChatGPT, can you also try this.

     

    ChatGPT Response

     

    Extending the out-of-the-box (OOTB) AEM com.adobe.granite.auth.saml.SamlAuthenticationHandler requires creating a custom OSGi service that inherits from this class. This can allow you to add or override functionality to meet your specific requirements.

    Here's a step-by-step guide to extending the SamlAuthenticationHandler in AEM:

     

    Create a new class in your AEM project that extends SamlAuthenticationHandler.

    package com.yourcompany.aem.custom.auth.saml; import com.adobe.granite.auth.saml.SamlAuthenticationHandler; import org.apache.felix.scr.annotations.Component; import org.apache.felix.scr.annotations.Service; import org.apache.sling.api.auth.Authenticator; import org.apache.sling.api.resource.ResourceResolver; import org.apache.sling.api.resource.ResourceResolverFactory; import org.apache.sling.api.scripting.SlingScriptHelper; import org.apache.sling.api.scripting.SlingScriptHelperProvider; import org.osgi.service.component.ComponentContext; import javax.jcr.Session; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.util.Map; @Component( immediate = true, label = "Custom SAML Authentication Handler", description = "Custom SAML Authentication Handler that extends the OOTB SAML Authentication Handler" ) @Service(Authenticator.class) public class CustomSamlAuthenticationHandler extends SamlAuthenticationHandler { @Override protected void activate(ComponentContext context) { super.activate(context); // Custom activation logic if needed } @Override protected void deactivate(ComponentContext context) { // Custom deactivation logic if needed super.deactivate(context); } @Override public boolean authenticate(HttpServletRequest request, HttpServletResponse response) { // Custom authentication logic if needed return super.authenticate(request, response); } @Override public void dropCredentials(HttpServletRequest request, HttpServletResponse response) { // Custom drop credentials logic if needed super.dropCredentials(request, response); } @Override public void login(HttpServletRequest request, HttpServletResponse response) { // Custom login logic if needed super.login(request, response); } }

     

    Create an OSGi configuration file for your custom authentication handler.

    // Create a file named `com.yourcompany.aem.custom.auth.saml.CustomSamlAuthenticationHandler.config` enabled=B"true" path="[/content]" service.ranking=5000

     

     

     

     

    Arun Patidar
      P
      Pradeep_VarmaPeAuthor
      July 1, 2024

      hi @arunpatidar ,

      We are not able to extend OOTB SamlAuthenticationhandler  because

      1) exported packages of OOTB bundle is empty. Even though we use it in our code base this might not be resolved in AEM instance

      2) not able to find the same version in maven repo

       

        pulkitvashisth
        Community Advisor
        pulkitvashisthCommunity Advisor
        Community Advisor
        July 1, 2024

        Hi @pradeep_varmape 
        You can use the org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor
        For the same purpose  like this

        @Component(service=AuthenticationInfoPostProcessor.class, immediate = true) @Designate(ocd = SAMLResponsePostProcessorImpl.Configuration.class) public class SAMLResponsePostProcessorImpl implements AuthenticationInfoPostProcessor { public static final Logger LOG = LoggerFactory.getLogger(SampleAuthenticationInfoPostProcessor.class); @ObjectClassDefinition(name = "Value Store SAML Post Processor Configuration", description = "Configurations SAML Post Processor") public @interface Configuration { @AttributeDefinition(name = "Enable SAML post-login verification", type = AttributeType.BOOLEAN) boolean enabled() default false; } @Override public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response) { if(info == null) { LOG.debug("AuthenticationInfo is null. " + "Skip post processing this request."); return; } String userId = info.getUser(); if (StringUtils.isNotBlank(userId)) { /*Write your custom code here*/ } } protected void activate(final ComponentContext componentContext) { final Dictionary<?, ?> properties = componentContext.getProperties(); } }

         Reference : https://hashimkhan.in/aem-adobecq5-code-templates/post-processor/

         

          P
          Pradeep_VarmaPeAuthor
          July 1, 2024

          hi @pulkitvashisth ,

           

          Our requirement is to update the Authn request while we rediect to IDP provider. so we cant use post processor

            joerghoh
            Adobe Employee
            joerghohAdobe Employee
            Adobe Employee
            July 1, 2024

            Why is the OOTB SAML authentication not enough? What do you want to achieve?

              P
              Pradeep_VarmaPeAuthor
              July 1, 2024

               The request was to pass emailid as login_hint with as a queryparam in  SAML AuthnRequest . This is solve some consumer identification issue for certain b2c consumers in azure AD, this was proposed by our azure team

                joerghoh
                Adobe Employee
                joerghohAdobe Employee
                Adobe Employee
                July 17, 2024

                Let me phrase it differently: What do you want to achieve with passing the emailid as a query parameter? 

                kautuk_sahni
                Community Manager
                kautuk_sahniCommunity Manager
                Community Manager
                July 8, 2024

                @pradeep_varmape Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you! 

                Kautuk Sahni
                Terms & ConditionsAccessibility statement

                Loading footer...