Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

Browser is not adding login-token Cookie (Session Cookie) into subsequent requests

Avatar

Level 2

I am trying to integrate AEM with SAML. We are currently using a different IDP ( Call it IDP-OLD) and moving to a new IDP ( IDP-New).

While integrating with IDP-OLD, the SAML Assertion Consumption URL was /content/saml_login. This Servlet created a cookie which was login-token which is httponly secure;. This cookie was sent back in all the remaining request by browser and AEM identified the token and considered the user as logged in.

While testing with IDP-NEW System, when IDP sends SAML Assertion to /saml_login, same login-token cookie is generated which is httponly and secure

Unfortunately this login-token cookie is not sent back by browser in the subsequent requests, which makes AEM thinks that the user is not logged in.

Both servers are HTTPS and secure.

Can anyone help me what could be the issue here?

5 Replies

Avatar

Employee Advisor

Few items to look for :

- As per assertion, cookie is invalidated.

- It might be permission issue either for the path or user. Check 'Apache Sling Authentication Service' and SAML Authentication Handler configuration having the default group.

- Check permissions for 'authentication-service' user

Thanks,

Wasil

[1] SAML 2.0 Authentication Handler

Avatar

Level 2

The issue is not with assertion or handler. AEM is working fine with generating the login-token. It is set in response header. Since token is set in response header, browser should attached that in subsequent requests. which is not happening. I am not sure why Browser is doing this for one IDP and not for another.

Avatar

Level 10

IS this behavior observed in all browsers?

Avatar

Level 2

Yes Scott. This is happening in both chrome and Firefox. These are only two I tried.

I'm my understanding the AEM is behaving as expected but due to some security issue, the browser does not add the cookie in session and neither in subsequent requests.

Hi @nishantg8362837 we are also facing similar type of issue. How did you solved this issue