Adobe Experience Manager Sites & More

nishantg8362837 · 12/27/18

I am trying to integrate AEM with SAML. We are currently using a different IDP ( Call it IDP-OLD) and moving to a new IDP ( IDP-New).

While integrating with IDP-OLD, the SAML Assertion Consumption URL was /content/saml_login. This Servlet created a cookie which was login-token which is httponly secure;. This cookie was sent back in all the remaining request by browser and AEM identified the token and considered the user as logged in.

While testing with IDP-NEW System, when IDP sends SAML Assertion to /saml_login, same login-token cookie is generated which is httponly and secure

Unfortunately this login-token cookie is not sent back by browser in the subsequent requests, which makes AEM thinks that the user is not logged in.

Both servers are HTTPS and secure.

Can anyone help me what could be the issue here?

wasil_z · 12/27/18

Few items to look for :

- As per assertion, cookie is invalidated.

- It might be permission issue either for the path or user. Check 'Apache Sling Authentication Service' and SAML Authentication Handler configuration having the default group.

- Check permissions for 'authentication-service' user

Thanks,

Wasil

[1] SAML 2.0 Authentication Handler

nishantg8362837 · 12/27/18

The issue is not with assertion or handler. AEM is working fine with generating the login-token. It is set in response header. Since token is set in response header, browser should attached that in subsequent requests. which is not happening. I am not sure why Browser is doing this for one IDP and not for another.

smacdonald2008 · 12/27/18

IS this behavior observed in all browsers?

nishantg8362837 · 12/27/18

Yes Scott. This is happening in both chrome and Firefox. These are only two I tried.

I'm my understanding the AEM is behaving as expected but due to some security issue, the browser does not add the cookie in session and neither in subsequent requests.