Configuring SAML for multiple domain in same Instance AEM 6.1

Avatar

Avatar
Validate 10
Level 3
anushap40132887
Level 3

Likes

8 likes

Total Posts

52 posts

Correct reply

3 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Validate 10
Level 3
anushap40132887
Level 3

Likes

8 likes

Total Posts

52 posts

Correct reply

3 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile
anushap40132887
Level 3

25-05-2018

We have multiple websites in same instance with different domain. Currently we are using Adobe saml 2.0 configuration for authenticating one of the sites. Now we need have authentication for other domains too. I have tried adding separate adobe saml configurations for each domain. We have single IDP url and separate SPID for each domain and path given for all was "/". while login in to any site, it is redirecting to the url provided in the handler with highest service ranking.

I tried providing the path field according to the domain, (ex. for www.abc.com, path as /content/abc and so), then I am getting below exception.

Caused by: org.apache.sling.api.resource.PersistenceException: Resource at '/saml_login' is not modifiable.

at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:152)

at org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:411)

at org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:101)

... 126 common frames omitted

Did any one face similar issue? Please advise.

View Entire Topic

Avatar

Avatar
Validate 1
Level 2
rajeevy89244319
Level 2

Likes

10 likes

Total Posts

50 posts

Correct reply

1 solution
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
Level 2
rajeevy89244319
Level 2

Likes

10 likes

Total Posts

50 posts

Correct reply

1 solution
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile
rajeevy89244319
Level 2

15-01-2019

Hi Kunwar

We are also trying to configure multiple domains with single IDP. Since we have multiple domains and IDP should redirect to URL corresponding to that domain once authenticated so we have configured multiple SAML authentication handler configurations. Each authentication handler is having different SP ID. IDP is trying to redirect to appropriate domain with /saml_login post authentication. But the issue with  multiple configurations we are facing is that second entry starts throwing below error:

09.01.2019 05:51:40.284 *DEBUG* [qtp1545571589-536241] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

09.01.2019 05:51:40.301 *INFO* [qtp1545571589-536241] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

When keep only 1 of these entries it works fine. This issue is happening only when we have more than 1 entry and 1st entry works fine while second throws this error.

Can you please suggest on how to handle this.