Expand my Community achievements bar.

SOLVED

AEM SAML login

Avatar

Level 2

Hi,

I've configured the SAML2.0 Authentication Handler and Referrer Filter in our Author instance and the SAML configuration seems to be working fine, so long as the user goes to the root directory of our Author environment: e.g  https://server-name/

However, if the user goes directly to the login url of our Author environment:  e.g.   https://server-name/libs/granite/core/content/login.html

SAML  is bypassed completely and the user gets the usual login screen of Author without being redirected to the IdP for login via SAML.

I'm trying to find out why this is happening.

Is there some other configuration that I need to have in place for it to enforce SAML login, even if the user is not pointing to the root URL of the server?

In my SAML 2.0 Authentication Handler I have specified / as the setting for Path.  I was hoping that this would ensure SAML login to be enforced for everything below https://server-name/

Any guidance on this would be appreciated.

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Level 2

Yes, confirmed!  I've found out that the Sling Authentication Service provides a place to exclude specific URLs from authentication.  One of those URLs is the Author login page itself.  It makes sense now that I think it through.  Our SAML authentication is activated when the user hits our Author instance at  / .   We can close this question now, mystery solved.

View solution in original post

5 Replies

Avatar

Level 10

See this end to end AEM SAML article: Integrating SAML with Adobe Experience Manager

Looks like in your case - something is not configured properly.

Avatar

Level 10

Also - see this GEMS session on this subject - this may help....

Utilizing SAML in AEM deployments

Avatar

Employee

I think this is working as expected as there might be an entry under Sling authentication service that lets you login to the direct url and skips the saml authentication by default.

Avatar

Correct answer by
Level 2

Yes, confirmed!  I've found out that the Sling Authentication Service provides a place to exclude specific URLs from authentication.  One of those URLs is the Author login page itself.  It makes sense now that I think it through.  Our SAML authentication is activated when the user hits our Author instance at  / .   We can close this question now, mystery solved.

Avatar

Level 1

You can remove the anonymous access for this page and this should be redirected to authentication.