Expand my Community achievements bar.

SOLVED

AEM Page Authentication property does not enforce SAML Authentication after every restart

Avatar

Level 2

Hi There,

I'm experiencing an issue in AEM with the SAML Aunthentication. It goes like this: We have a login page, Enable check under "Authentication Requirement" is enabled. We do have SAML configuration setup with the IDP. After the code is deployed, when we click on the Login button (pointing to /content/myProject/us/en/login.html), the expected IDP SSO login page shows up as per the SAML configuration, everything works as expected.


But when we bounce the publisher server, after the server restarts and when we access the application home page and click on login button. The expected IDP SSO login page doesn't show up as per the SAML config.  In our QA, UAT environments, whenever the code is deployed, Ops team restarts the publisher servers and that's how this issue came into light. 

As a workaround, we have told the team to open the login page properties, disable the authentication checkbox, save the change. Open the login page again, Enable the authentication checkbox, save change. If we do this, then the login button works and shows the IDP login page.

 

Can someone let me know why the authentication property is not being considered by AEM after restart, why we are being forced to set this property manually after every restart. Please let me know if we are missing anything here.

Anybody can throw some light here, will be greatly appreciated.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi,

Is your login page is accessible by anonymous user? If not then login page won't show.

 open the login page properties, disable the authentication checkbox, save the change.


Arun Patidar

View solution in original post

12 Replies

Avatar

Community Advisor

@sk09 do you see any error in the logs. Can you share it

Avatar

Level 2

Hi,

There was no error seen in the logs, unless some specific debug logs enabled on some out-of-the-box apis, we don't see any error.

Avatar

Correct answer by
Community Advisor

Hi,

Is your login page is accessible by anonymous user? If not then login page won't show.

 open the login page properties, disable the authentication checkbox, save the change.


Arun Patidar

Avatar

Level 2

Hi,

We have a home page that is accessible to everyone, it has the link to Login. When the user clicks on login, IDP login page as per the saml configuration would be displayed. Once the user is successfully authenticated through IDP, the user will be navigated to the dashboard page.

 

Avatar

Level 5

That's a weird one.

When authentication checkbox is enabled, a property for granite:AuthenticationRequired is set on that page node:

Screen Shot 2022-07-20 at 3.46.52 pm.png

 

Do you see this property on the page after restart?

Avatar

Level 2

Hi,

Thanks for your response.

After the restart, I opened the page in the browser and verified the page properties in the Advanced tab and could see that the Authentication Requirement checkbox is  still Enabled. But somehow when I click on login, SAML authentication IDP login page does not display, that's weird.
When I manually disable the checkbox, save and enable the checkbox and save, then it works as expected.
Not sure what am I missing here, I would assume we don't have to do anything with respect to the server startup script in terms of sling authentication.

Avatar

Level 5

Typically when I need to protect pages and mandate authentication, I use the Apache Sling Authenticatiopn Service OSGi config:

Screen Shot 2022-07-21 at 10.08.00 am.png

 

In the 'Authentication Requirements' property, I add the paths that I want or don't want to protect. For example in the above screenshot: /content/mysite/mypage is protected and will require authentication to access it.

Whereas, /libs/granite/core/content/login is open to public, which is the login page.

 

OSGi configs can be persisted in code base and I'd say more reliable. I'd suggest to give this a try, I never faced such as issue with this approach.

Avatar

Level 2

Thank you Nikhil for your quick suggestion.

Since Sling Authentication osgi service is a global setting, and we do have other applications deployed in the same AEM server, we were not adding our application specific login page path here.

Authentication flag is enabled at the login page but after the server restart, the authentication is not happening. Do you know if there is anything else that needs to be handled in terms of sling authentication parameters or something else?

 

Avatar

Level 5

Hey @sk09 , I'm back!

Makes sense about the Sling Authentication OSGi config.

I just tried to reproduce the issue:

- Created page: /mysite/us/en/test-auth

- Enabled Authentication from page properties

- Published the page to publisher

- Access page via AEM publish, authentication is triggered.

- Restarted EM publish

- Access the test-auth.html page again, and the auth is triggered again.

 

I couldn't reproduce the issue, I'm on AEM 6.5.10. Which version are you on?

 

I didn't have SAML auth on my local, iunstead the default auth of AEM. But that shouldn't matter I believe.

Avatar

Level 2

Thank you Nikhil for taking time to reproduce the issue.

Here are some more details: 

  • I'm using AEM version 6.5.11
  • I understand that you tried in local, but it's worth to check in a publish instance with SAML auth. Not sure having saml auth might trigger the issue.
  • The interesting thing is that even after the server restart, other pages which have authentication enabled property, when we access those pages, it's working. IDP page gets displayed as per saml. It's just that particular login page auth does not work  
    Please try once creating a login page with title as "Login" (enter as-is) and automatically the path comes like /content/myApp/us/en/login and enable the authentication checkbox.

Please see if you can reproduce the issue. It's highly unlikely that it's something to do with the name we use for pages, not sure if AEM has anything internal reserved names for login.

Avatar

Level 5

No problems buddy.

I tried again:

- AEM publish 6.5.11

- Configured SAML auth

- Created pages named 'Login', 'login', 'non-login') & marked them as protected ('Authentication required' enabled)

- Confirmed SAML auth being triggered when accessing the protected pages

- Restarted AEM publish

- Still see the SAML auth being triggered.

 

I couldn't reproduce the issue  

 

I'm assuming your login page comes under the path configured in SAML 2.0 Authentication Handler OSGi config?

Avatar

Level 2

Thanks for your retry on 6.5.11.

Our login page path is the same path that was listed in the saml auth config, that is /content/myApp/us/en/login.

But other pages that has authentication enabled do work after the restart except this login page, which is weird.

I'm assuming you did not provide any closed user groups for the login pages that you had newly created.