Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.

AEM SSO - Signin issue


Level 4


We are trying to implement SSO in our application using OOTB SAML Handler.

Below is the AEM infrastructure architecture(publish)

2 Publishers

2 Dispatchers

Dispatcher Load Balancer

2 F5

F5 Load Balancer

Azure CDN

The issue which we are facing is, once user successfully logs in we are displaying user first name in header section of page under user icon/avatar. But when user navigates to other pages within the application userid is coming as "anonymous".

We have enabled user synchronization between publishers and once user is successfully authenticated, user node gets created in both publishers.

Sticky session configuration is enabled in publish dispatchers.

Is there anything else that needs to be done so that once user is authenticated, the session remains active?

6 Replies


Employee Advisor

Setup looks good. User sync will take 30-40 seconds to sync the user, are you trying to browse different pages after sometime?

Also, Are you securing only a particular subset of the pages using the path field in SAML handler? Is the new page ouside of that path?


Level 4

Hi JaideepBrar,

Yes, we are securing only subset of pages, pathfield in SAML Handler and Apache Sling Authentication Service is configured with /content/mycompany/xyz/signin only because of below two reasons

1. User when trying to access a secure page must be taken to an intermediate page(business requirement) where he is shown a message that he/she needs to Signin or Signup to access the page.

2. Our organization has multiple business units(BU) which has secure folders, instead of configuring multiple paths under Apache Sling Authentication, we are trying to route it through /content/mycompany/xyz/signin page


Level 4

My guess is that content might get cached at dispatcher/CDN level, while serving the content it may come from your dispatcher or cdn cache.

Try to load that particular header component where you include the logged in username dynamically either by using sling dynamic include (Set up Sling Dynamic Include ) or simple ajax call if your setup allows caching authorized content.

If you don't want to cache the authorized content, please make the TTL as zero at CDN level and also block the pages from caching at dispatcher level for the required content tree.  You can leverage acs commons (Dispatcher TTL ) or you can use ttl headers at page level.

If in case you are requirement allows to cache the authorized content then you can look for permission sensitive caching (Caching Secured Content ) along with sling dynamic include for showing the dynamic contents like username, user profile attributes etc.

Hope this might helps.


Level 4

Thanks Prem.

One follow up question while I am trying the above approach - Are sticky session configuration at dispatcher mandatory in case of multiple publish instances?

If we remove sticky session configuration, when trying to login infinite loop issue is coming up where the url in browser address bar flickers between AEM url and IDP url.

Am I missing anything here?

Thanks & Regards,

Srikanth Pogula.


Level 4

Yes Srikant you should have sticky session or you can you can use encapsulated token as an alternative if you expect the user sync going to be happen without any delay. Encapsulated Token Support. Better go with both. sometimes sling distribution delayed due to unexpected issues. For encapsulated token also user should  avilable on both the publish.

hope this helps.


Level 3

Srikanth, If you already have F5 load balancer, try not to do load balancing at dispatchers as it makes things complex. If you are able to configure sticky session at F5 load balancer based on login-token cookie, I think there is no need to sync users with sling distribution and encapsulated token