Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

AEM Custom Saml Authentication Handler

Avatar

Level 3

We are trying to extend OOTB AEM com.adobe.granite.auth.saml.SamlAuthenticationHandler, but since this bundle does not have any exported packages in AEM . We are not able to extend the functionality. 

public class CustomSamlAuthHandler extends SamlAuthenticationHandler {

protected AuthnRequest createAuthnRequest() {
AuthnRequest authnRequest = super.createAuthnRequest();

//update AuthRequest
return authnRequest;
}

}

 @arunpatidar 

 @pavan_ainampudi 

8 Replies

Avatar

Community Advisor

Hi @pradeep8910 
Can you please check this 

https://medium.com/@lars.auffarth/building-an-aem-custom-authentication-handler-for-okta-openid-conn...

 

I just tried with ChatGPT, can you also try this.

 

Spoiler
ChatGPT Response

 

Extending the out-of-the-box (OOTB) AEM com.adobe.granite.auth.saml.SamlAuthenticationHandler requires creating a custom OSGi service that inherits from this class. This can allow you to add or override functionality to meet your specific requirements.

Here's a step-by-step guide to extending the SamlAuthenticationHandler in AEM:

 

Create a new class in your AEM project that extends SamlAuthenticationHandler.

package com.yourcompany.aem.custom.auth.saml;

import com.adobe.granite.auth.saml.SamlAuthenticationHandler;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.scripting.SlingScriptHelper;
import org.apache.sling.api.scripting.SlingScriptHelperProvider;
import org.osgi.service.component.ComponentContext;

import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;

@Component(
        immediate = true,
        label = "Custom SAML Authentication Handler",
        description = "Custom SAML Authentication Handler that extends the OOTB SAML Authentication Handler"
)
@Service(Authenticator.class)
public class CustomSamlAuthenticationHandler extends SamlAuthenticationHandler {

    @Override
    protected void activate(ComponentContext context) {
        super.activate(context);
        // Custom activation logic if needed
    }

    @Override
    protected void deactivate(ComponentContext context) {
        // Custom deactivation logic if needed
        super.deactivate(context);
    }

    @Override
    public boolean authenticate(HttpServletRequest request, HttpServletResponse response) {
        // Custom authentication logic if needed
        return super.authenticate(request, response);
    }

    @Override
    public void dropCredentials(HttpServletRequest request, HttpServletResponse response) {
        // Custom drop credentials logic if needed
        super.dropCredentials(request, response);
    }

    @Override
    public void login(HttpServletRequest request, HttpServletResponse response) {
        // Custom login logic if needed
        super.login(request, response);
    }
}

 

Create an OSGi configuration file for your custom authentication handler.

// Create a file named `com.yourcompany.aem.custom.auth.saml.CustomSamlAuthenticationHandler.config`
enabled=B"true"
path="[/content]"
service.ranking=5000

 

 

 

 



Arun Patidar

Avatar

Level 3

hi @arunpatidar ,

We are not able to extend OOTB SamlAuthenticationhandler  because

1) exported packages of OOTB bundle is empty. Even though we use it in our code base this might not be resolved in AEM instance

2) not able to find the same version in maven repo

pradeep8910_1-1719821159980.png

 

Avatar

Community Advisor

Hi @pradeep8910 
You can use the org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor
For the same purpose  like this

@Component(service=AuthenticationInfoPostProcessor.class,
        immediate = true)
@Designate(ocd = SAMLResponsePostProcessorImpl.Configuration.class)
public class SAMLResponsePostProcessorImpl implements AuthenticationInfoPostProcessor {
 
    public static final Logger LOG = LoggerFactory.getLogger(SampleAuthenticationInfoPostProcessor.class);

@ObjectClassDefinition(name = "Value Store SAML Post Processor Configuration", description = "Configurations SAML Post Processor")
    public @interface Configuration {

        @AttributeDefinition(name = "Enable SAML post-login verification", type = AttributeType.BOOLEAN)
        boolean enabled() default false;
    }
     
    @Override
    public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response) {
 
        if(info == null) {
            LOG.debug("AuthenticationInfo is null. " + "Skip post processing this request.");
            return;
        }
        String userId = info.getUser();
        if (StringUtils.isNotBlank(userId)) {
           /*Write your custom code here*/
        }
    }
 
    protected void activate(final ComponentContext componentContext) {
        final Dictionary<?, ?> properties = componentContext.getProperties();
 
    }
}

 Reference : https://hashimkhan.in/aem-adobecq5-code-templates/post-processor/

 

Avatar

Level 3

hi @pulkitvashisth ,

 

Our requirement is to update the Authn request while we rediect to IDP provider. so we cant use post processor

Avatar

Employee Advisor

Why is the OOTB SAML authentication not enough? What do you want to achieve?

Avatar

Level 3

 The request was to pass emailid as login_hint with as a queryparam in  SAML AuthnRequest . This is solve some consumer identification issue for certain b2c consumers in azure AD, this was proposed by our azure team

Avatar

Employee Advisor

Let me phrase it differently: What do you want to achieve with passing the emailid as a query parameter? 

Avatar

Administrator

@pradeep8910 Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you! 



Kautuk Sahni