Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

Configuring SAML for multiple domain in same Instance AEM 6.1

Avatar

Level 4

We have multiple websites in same instance with different domain. Currently we are using Adobe saml 2.0 configuration for authenticating one of the sites. Now we need have authentication for other domains too. I have tried adding separate adobe saml configurations for each domain. We have single IDP url and separate SPID for each domain and path given for all was "/". while login in to any site, it is redirecting to the url provided in the handler with highest service ranking.

I tried providing the path field according to the domain, (ex. for www.abc.com, path as /content/abc and so), then I am getting below exception.

Caused by: org.apache.sling.api.resource.PersistenceException: Resource at '/saml_login' is not modifiable.

at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:152)

at org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:411)

at org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:101)

... 126 common frames omitted

Did any one face similar issue? Please advise.

1 Accepted Solution

Avatar

Correct answer by
Employee

If we have single IDP configured, You just need to adjust the 'path' in SAML config to point to other sites.  If we have multiple IDPs, adding new config would make sense then.

Accordingly, you can adjust you rewrite rules, resource Resolver or etc/map configs so that once it goes through the  dispatcher, correct url is resolved and SAML auth handler kicks and invoked the authentication mechanism.

View solution in original post

9 Replies

Avatar

Correct answer by
Employee

If we have single IDP configured, You just need to adjust the 'path' in SAML config to point to other sites.  If we have multiple IDPs, adding new config would make sense then.

Accordingly, you can adjust you rewrite rules, resource Resolver or etc/map configs so that once it goes through the  dispatcher, correct url is resolved and SAML auth handler kicks and invoked the authentication mechanism.

Avatar

Level 4

Hi Kunwar

We are also trying to configure multiple domains with single IDP. Since we have multiple domains and IDP should redirect to URL corresponding to that domain once authenticated so we have configured multiple SAML authentication handler configurations. Each authentication handler is having different SP ID. IDP is trying to redirect to appropriate domain with /saml_login post authentication. But the issue with  multiple configurations we are facing is that second entry starts throwing below error:

09.01.2019 05:51:40.284 *DEBUG* [qtp1545571589-536241] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

09.01.2019 05:51:40.301 *INFO* [qtp1545571589-536241] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

When keep only 1 of these entries it works fine. This issue is happening only when we have more than 1 entry and 1st entry works fine while second throws this error.

Can you please suggest on how to handle this.

Avatar

Level 4

Hi rajeevy89244319

Can you make sure that the "path" property in the saml configuration is matching with assertion consumer URL in IDP side.

Eg :  if we have two domains www.abc.com with root path /content/abc and www.xyz.com with /content/xyz, then in the saml configuration for www.abc.com path should be conifgured as /content/abc and assertion consumer URL should be as https://www.abc.com/content/abc/saml_login and configure the other domain in similar way. Also configure the default redirect url for both domains as required.

Avatar

Level 4

Hi anushap40132887,

I forgot to update on the this thread. I was able to find the solution and it is exactly what you have mentioned in your Comment.  Endpoint URLS need to have full content path before /saml_login even if the path is shortened on actual website.

Thanks,
Rajeev

Avatar

Level 2

Hi Rajeev,

My problem statement is same as of anushap40132887​.

Till now i had only one domain e.g. www.abc.com  configured in my AEM instance so i have configured path as "/" in my SAML configuration and assertion url as www.abc.com/saml_login. So whenever I access /system/sling/login it was redirecting to IDP and post authentication it was rendering back to www.abc.com.

Now I need to setup say www.xyz.com domain on same AEM instane with same IDP, so i have made two SAML configuration but it is always picking first one. Even if i make request from xyz.com, but it picks first SAML configuration and send request from abc.com.

Early response is much appreciated.

Thanks,

Ashish

Avatar

Level 2

What about path parameter? Actually my login functionality triggers only when user clicks on sign in link not when accessing any particular path. So in Sign in link i invoke /system/sling/login servlet which in turns invoke SAML handler.

Can you please elaborate considering my use case.

Avatar

Level 4

In AEM, under you need to provide content path on which SAML authentication needs to be applied. Also, add the paths in SLing Authentication Service that should not be public and needs to undergo authentication.

Avatar

Level 4

Hi,

Our requirement is similar but when user moves onto other domain, user must not be asked to login again since IDP is same for both domains i.e. user is on a page with domain www.xyz.com and tries to navigate to www.xyz.co.uk user must not be asked to login again since already logged in and has access to co.uk as well. Is it possible? Are there any configurations required at IDP end to achieve this?

We are using Salesforce as Identity Provider.

Any suggestions would be really helpful.

Thanks,

Srikanth Pogula.