Adobe Experience Manager Sites & More

pradeep8910 · 7/1/24

We are trying to extend OOTB AEM com.adobe.granite.auth.saml.SamlAuthenticationHandler, but since this bundle does not have any exported packages in AEM . We are not able to extend the functionality.

public class CustomSamlAuthHandler extends SamlAuthenticationHandler {

        protected AuthnRequest createAuthnRequest() {
                AuthnRequest authnRequest = super.createAuthnRequest();

                //update AuthRequest
                return authnRequest;
        }

}

@arunpatidar

@pavan_ainampudi

arunpatidar · 7/1/24

Hi @pradeep8910
Can you please check this

https://medium.com/@lars.auffarth/building-an-aem-custom-authentication-handler-for-okta-openid-conn...

I just tried with ChatGPT, can you also try this.

Spoiler

ChatGPT Response

Extending the out-of-the-box (OOTB) AEM com.adobe.granite.auth.saml.SamlAuthenticationHandler requires creating a custom OSGi service that inherits from this class. This can allow you to add or override functionality to meet your specific requirements.

Here's a step-by-step guide to extending the SamlAuthenticationHandler in AEM:

Create a new class in your AEM project that extends SamlAuthenticationHandler.

package com.yourcompany.aem.custom.auth.saml;

import com.adobe.granite.auth.saml.SamlAuthenticationHandler;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.scripting.SlingScriptHelper;
import org.apache.sling.api.scripting.SlingScriptHelperProvider;
import org.osgi.service.component.ComponentContext;

import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;

@Component(
        immediate = true,
        label = "Custom SAML Authentication Handler",
        description = "Custom SAML Authentication Handler that extends the OOTB SAML Authentication Handler"
)
@Service(Authenticator.class)
public class CustomSamlAuthenticationHandler extends SamlAuthenticationHandler {

    @Override
    protected void activate(ComponentContext context) {
        super.activate(context);
        // Custom activation logic if needed
    }

    @Override
    protected void deactivate(ComponentContext context) {
        // Custom deactivation logic if needed
        super.deactivate(context);
    }

    @Override
    public boolean authenticate(HttpServletRequest request, HttpServletResponse response) {
        // Custom authentication logic if needed
        return super.authenticate(request, response);
    }

    @Override
    public void dropCredentials(HttpServletRequest request, HttpServletResponse response) {
        // Custom drop credentials logic if needed
        super.dropCredentials(request, response);
    }

    @Override
    public void login(HttpServletRequest request, HttpServletResponse response) {
        // Custom login logic if needed
        super.login(request, response);
    }
}

Create an OSGi configuration file for your custom authentication handler.

// Create a file named `com.yourcompany.aem.custom.auth.saml.CustomSamlAuthenticationHandler.config`
enabled=B"true"
path="[/content]"
service.ranking=5000

Arun Patidar

pradeep8910 · 7/1/24

hi @arunpatidar ,

We are not able to extend OOTB SamlAuthenticationhandler because

1) exported packages of OOTB bundle is empty. Even though we use it in our code base this might not be resolved in AEM instance

2) not able to find the same version in maven repo

pulkitvashisth · 7/1/24

Hi @pradeep8910
You can use the org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor
For the same purpose like this

@Component(service=AuthenticationInfoPostProcessor.class,
        immediate = true)
@Designate(ocd = SAMLResponsePostProcessorImpl.Configuration.class)
public class SAMLResponsePostProcessorImpl implements AuthenticationInfoPostProcessor {
 
    public static final Logger LOG = LoggerFactory.getLogger(SampleAuthenticationInfoPostProcessor.class);

@ObjectClassDefinition(name = "Value Store SAML Post Processor Configuration", description = "Configurations SAML Post Processor")
    public @interface Configuration {

        @AttributeDefinition(name = "Enable SAML post-login verification", type = AttributeType.BOOLEAN)
        boolean enabled() default false;
    }
     
    @Override
    public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response) {
 
        if(info == null) {
            LOG.debug("AuthenticationInfo is null. " + "Skip post processing this request.");
            return;
        }
        String userId = info.getUser();
        if (StringUtils.isNotBlank(userId)) {
           /*Write your custom code here*/
        }
    }
 
    protected void activate(final ComponentContext componentContext) {
        final Dictionary<?, ?> properties = componentContext.getProperties();
 
    }
}

Reference : https://hashimkhan.in/aem-adobecq5-code-templates/post-processor/

pradeep8910 · 7/1/24

hi @pulkitvashisth ,

Our requirement is to update the Authn request while we rediect to IDP provider. so we cant use post processor

Jörg_Hoh · 7/1/24

Why is the OOTB SAML authentication not enough? What do you want to achieve?

pradeep8910 · 7/1/24

The request was to pass emailid as login_hint with as a queryparam in SAML AuthnRequest . This is solve some consumer identification issue for certain b2c consumers in azure AD, this was proposed by our azure team

Adobe Experience Manager Sites & More

AEM Custom Saml Authentication Handler

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe