Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM SSO - Signin issue

Avatar

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile
srikanthp689160
Level 3

30-09-2019

Hi,

We are trying to implement SSO in our application using OOTB SAML Handler.

Below is the AEM infrastructure architecture(publish)

2 Publishers

2 Dispatchers

Dispatcher Load Balancer

2 F5

F5 Load Balancer

Azure CDN

The issue which we are facing is, once user successfully logs in we are displaying user first name in header section of page under user icon/avatar. But when user navigates to other pages within the application userid is coming as "anonymous".

We have enabled user synchronization between publishers and once user is successfully authenticated, user node gets created in both publishers.

Sticky session configuration is enabled in publish dispatchers.

Is there anything else that needs to be done so that once user is authenticated, the session remains active?

Replies

Avatar

Avatar
Coach
Employee
jbrar
Employee

Likes

377 likes

Total Posts

867 posts

Correct Reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile

Avatar
Coach
Employee
jbrar
Employee

Likes

377 likes

Total Posts

867 posts

Correct Reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile
jbrar
Employee

30-09-2019

Setup looks good. User sync will take 30-40 seconds to sync the user, are you trying to browse different pages after sometime?

Also, Are you securing only a particular subset of the pages using the path field in SAML handler? Is the new page ouside of that path?

Avatar

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile
srikanthp689160
Level 3

30-09-2019

Hi JaideepBrar,

Yes, we are securing only subset of pages, pathfield in SAML Handler and Apache Sling Authentication Service is configured with /content/mycompany/xyz/signin only because of below two reasons

1. User when trying to access a secure page must be taken to an intermediate page(business requirement) where he is shown a message that he/she needs to Signin or Signup to access the page.

2. Our organization has multiple business units(BU) which has secure folders, instead of configuring multiple paths under Apache Sling Authentication, we are trying to route it through /content/mycompany/xyz/signin page

Avatar

Avatar
Validate 10
Level 3
Premkarthic-7WP
Level 3

Likes

8 likes

Total Posts

60 posts

Correct Reply

7 solutions
Top badges earned
Validate 10
Validate 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 10
Level 3
Premkarthic-7WP
Level 3

Likes

8 likes

Total Posts

60 posts

Correct Reply

7 solutions
Top badges earned
Validate 10
Validate 1
Give Back 5
Give Back 3
Give Back
View profile
Premkarthic-7WP
Level 3

30-09-2019

My guess is that content might get cached at dispatcher/CDN level, while serving the content it may come from your dispatcher or cdn cache.

Try to load that particular header component where you include the logged in username dynamically either by using sling dynamic include (Set up Sling Dynamic Include ) or simple ajax call if your setup allows caching authorized content.

If you don't want to cache the authorized content, please make the TTL as zero at CDN level and also block the pages from caching at dispatcher level for the required content tree.  You can leverage acs commons (Dispatcher TTL ) or you can use ttl headers at page level.

If in case you are requirement allows to cache the authorized content then you can look for permission sensitive caching (Caching Secured Content ) along with sling dynamic include for showing the dynamic contents like username, user profile attributes etc.

Hope this might helps.

Avatar

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile
srikanthp689160
Level 3

01-10-2019

Thanks Prem.

One follow up question while I am trying the above approach - Are sticky session configuration at dispatcher mandatory in case of multiple publish instances?

If we remove sticky session configuration, when trying to login infinite loop issue is coming up where the url in browser address bar flickers between AEM url and IDP url.

Am I missing anything here?

Thanks & Regards,

Srikanth Pogula.

Avatar

Avatar
Validate 10
Level 3
Premkarthic-7WP
Level 3

Likes

8 likes

Total Posts

60 posts

Correct Reply

7 solutions
Top badges earned
Validate 10
Validate 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 10
Level 3
Premkarthic-7WP
Level 3

Likes

8 likes

Total Posts

60 posts

Correct Reply

7 solutions
Top badges earned
Validate 10
Validate 1
Give Back 5
Give Back 3
Give Back
View profile
Premkarthic-7WP
Level 3

01-10-2019

Yes Srikant you should have sticky session or you can you can use encapsulated token as an alternative if you expect the user sync going to be happen without any delay. Encapsulated Token Support. Better go with both. sometimes sling distribution delayed due to unexpected issues. For encapsulated token also user should  avilable on both the publish.

hope this helps.

Avatar

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

15 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

15 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile
Santhi_Swaroop
Level 2

01-10-2019

Srikanth, If you already have F5 load balancer, try not to do load balancing at dispatchers as it makes things complex. If you are able to configure sticky session at F5 load balancer based on login-token cookie, I think there is no need to sync users with sling distribution and encapsulated token