Highlighted

AEM6.3.3 + OKTA Integration

_SumitSinghal

22-08-2019

Hi Team,

I am facing issue with multiple SAML configuration for our project with one IDP certificate.

I follow the steps mentioned in the link below but no Luck.

Multiple SAML configurations

On successful authentication , it redirects to http:localhost/saml_login instead of the path configured in the Assertion Consumer URL i.e. http:localhost/content/abc/saml_login

What can be the issue or is there any configuration which needs to be done to handle multiple domain with multiple SAML configuration ?

Thanks in advance

Replies

Highlighted

jbrar

Employee

22-08-2019

You need to configure the same Assertion Consumer URL on the OKTA side. Sometimes it's labeled as destination URL. Assertion URL in AEM should match with what's set on the OKTA.

Highlighted

_SumitSinghal

22-08-2019

Hi Jaideep,

Thank you for sharing more insight.

Yes I already put the Assertion Consumer URL on the OKTA side but still it redirect to default saml_login.

Do you see anything things which needs to be looked upon. ?

Thank you

Highlighted

jbrar

Employee

23-08-2019

Can you check if path property is set as per the ACS:

If path: / then ACS should be <SP>/saml_login

If the path: /content then ACS should be <SP>/content/saml_login

Check [1] for more details

[1] https://labs.tadigital.com/index.php/2017/10/10/saml-single-sign-on-sso-for-aem-authorpublish-part-2...

Highlighted

_SumitSinghal

03-09-2019

Hi,

Thank you for sharing such a nice document.

I followed all the steps still No Luck.

Actually while giving the path "/content/abc" and putting the Assertion URL path as "http://localhost:4503/content/abc/saml_login" in SAML configuration. When I hit the path localhost:4503/content/abc.html it never redirects to IDP URL instead it render the content page.

Do you have any context why path with /content/abc not working and redirecting it to OKTA page for authentication. ?

Thanks

Highlighted

jbrar

Employee

04-09-2019

Reading the description, it looks like the page "/content/abc.html" does not require authentication. SAML will only be triggered on the pages which anonymous does not have access to.

Also, check if you have excluded "/content/abc.html" from the authentication requirement.

[1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuthenticator