Adobe Experience Manager Sites & More

Hi,

There was no error seen in the logs, unless some specific debug logs enabled on some out-of-the-box apis, we don't see any error.

Hi,

We have a home page that is accessible to everyone, it has the link to Login. When the user clicks on login, IDP login page as per the saml configuration would be displayed. Once the user is successfully authenticated through IDP, the user will be navigated to the dashboard page.

Hi,

Thanks for your response.

After the restart, I opened the page in the browser and verified the page properties in the Advanced tab and could see that the Authentication Requirement checkbox is  still Enabled. But somehow when I click on login, SAML authentication IDP login page does not display, that's weird.
When I manually disable the checkbox, save and enable the checkbox and save, then it works as expected.
Not sure what am I missing here, I would assume we don't have to do anything with respect to the server startup script in terms of sling authentication.

Typically when I need to protect pages and mandate authentication, I use the Apache Sling Authenticatiopn Service OSGi config:

In the 'Authentication Requirements' property, I add the paths that I want or don't want to protect. For example in the above screenshot: /content/mysite/mypage is protected and will require authentication to access it.

Whereas, /libs/granite/core/content/login is open to public, which is the login page.

OSGi configs can be persisted in code base and I'd say more reliable. I'd suggest to give this a try, I never faced such as issue with this approach.

Thank you Nikhil for your quick suggestion.

Since Sling Authentication osgi service is a global setting, and we do have other applications deployed in the same AEM server, we were not adding our application specific login page path here.

Authentication flag is enabled at the login page but after the server restart, the authentication is not happening. Do you know if there is anything else that needs to be handled in terms of sling authentication parameters or something else?

Hey @sk09 , I'm back!

Makes sense about the Sling Authentication OSGi config.

I just tried to reproduce the issue:

- Created page: /mysite/us/en/test-auth

- Enabled Authentication from page properties

- Published the page to publisher

- Access page via AEM publish, authentication is triggered.

- Restarted EM publish

- Access the test-auth.html page again, and the auth is triggered again.

I couldn't reproduce the issue, I'm on AEM 6.5.10. Which version are you on?

I didn't have SAML auth on my local, iunstead the default auth of AEM. But that shouldn't matter I believe.

Thank you Nikhil for taking time to reproduce the issue.

Here are some more details: 

• I'm using AEM version 6.5.11
• I understand that you tried in local, but it's worth to check in a publish instance with SAML auth. Not sure having saml auth might trigger the issue.
• The interesting thing is that even after the server restart, other pages which have authentication enabled property, when we access those pages, it's working. IDP page gets displayed as per saml. It's just that particular login page auth does not work  
  Please try once creating a login page with title as "Login" (enter as-is) and automatically the path comes like /content/myApp/us/en/login and enable the authentication checkbox.

Please see if you can reproduce the issue. It's highly unlikely that it's something to do with the name we use for pages, not sure if AEM has anything internal reserved names for login.

No problems buddy.

I tried again:

- AEM publish 6.5.11

- Configured SAML auth

- Created pages named 'Login', 'login', 'non-login') & marked them as protected ('Authentication required' enabled)

- Confirmed SAML auth being triggered when accessing the protected pages

- Restarted AEM publish

- Still see the SAML auth being triggered.

I couldn't reproduce the issue  

I'm assuming your login page comes under the path configured in SAML 2.0 Authentication Handler OSGi config?

Thanks for your retry on 6.5.11.

Our login page path is the same path that was listed in the saml auth config, that is /content/myApp/us/en/login.

But other pages that has authentication enabled do work after the restart except this login page, which is weird.

I'm assuming you did not provide any closed user groups for the login pages that you had newly created.