Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Configuring SAML for multiple domain in same Instance AEM 6.1

anushap40132887
Level 4
Level 4

We have multiple websites in same instance with different domain. Currently we are using Adobe saml 2.0 configuration for authenticating one of the sites. Now we need have authentication for other domains too. I have tried adding separate adobe saml configurations for each domain. We have single IDP url and separate SPID for each domain and path given for all was "/". while login in to any site, it is redirecting to the url provided in the handler with highest service ranking.

I tried providing the path field according to the domain, (ex. for www.abc.com, path as /content/abc and so), then I am getting below exception.

Caused by: org.apache.sling.api.resource.PersistenceException: Resource at '/saml_login' is not modifiable.

at org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:152)

at org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:411)

at org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:101)

... 126 common frames omitted

Did any one face similar issue? Please advise.

1 Accepted Solution
Kunwar
Correct answer by
Employee
Employee

If we have single IDP configured, You just need to adjust the 'path' in SAML config to point to other sites.  If we have multiple IDPs, adding new config would make sense then.

Accordingly, you can adjust you rewrite rules, resource Resolver or etc/map configs so that once it goes through the  dispatcher, correct url is resolved and SAML auth handler kicks and invoked the authentication mechanism.

View solution in original post

9 Replies
Kunwar
Correct answer by
Employee
Employee

If we have single IDP configured, You just need to adjust the 'path' in SAML config to point to other sites.  If we have multiple IDPs, adding new config would make sense then.

Accordingly, you can adjust you rewrite rules, resource Resolver or etc/map configs so that once it goes through the  dispatcher, correct url is resolved and SAML auth handler kicks and invoked the authentication mechanism.

View solution in original post

rajeevy89244319
Level 3
Level 3

Hi Kunwar

We are also trying to configure multiple domains with single IDP. Since we have multiple domains and IDP should redirect to URL corresponding to that domain once authenticated so we have configured multiple SAML authentication handler configurations. Each authentication handler is having different SP ID. IDP is trying to redirect to appropriate domain with /saml_login post authentication. But the issue with  multiple configurations we are facing is that second entry starts throwing below error:

09.01.2019 05:51:40.284 *DEBUG* [qtp1545571589-536241] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

09.01.2019 05:51:40.301 *INFO* [qtp1545571589-536241] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

When keep only 1 of these entries it works fine. This issue is happening only when we have more than 1 entry and 1st entry works fine while second throws this error.

Can you please suggest on how to handle this.

anushap40132887
Level 4
Level 4

Hi rajeevy89244319

Can you make sure that the "path" property in the saml configuration is matching with assertion consumer URL in IDP side.

Eg :  if we have two domains www.abc.com with root path /content/abc and www.xyz.com with /content/xyz, then in the saml configuration for www.abc.com path should be conifgured as /content/abc and assertion consumer URL should be as https://www.abc.com/content/abc/saml_login and configure the other domain in similar way. Also configure the default redirect url for both domains as required.

rajeevy89244319
Level 3
Level 3

Hi anushap40132887,

I forgot to update on the this thread. I was able to find the solution and it is exactly what you have mentioned in your Comment.  Endpoint URLS need to have full content path before /saml_login even if the path is shortened on actual website.

Thanks,
Rajeev

ashisht85509954
Level 2
Level 2

Hi Rajeev,

My problem statement is same as of anushap40132887​.

Till now i had only one domain e.g. www.abc.com  configured in my AEM instance so i have configured path as "/" in my SAML configuration and assertion url as www.abc.com/saml_login. So whenever I access /system/sling/login it was redirecting to IDP and post authentication it was rendering back to www.abc.com.

Now I need to setup say www.xyz.com domain on same AEM instane with same IDP, so i have made two SAML configuration but it is always picking first one. Even if i make request from xyz.com, but it picks first SAML configuration and send request from abc.com.

Early response is much appreciated.

Thanks,

Ashish

ashisht85509954
Level 2
Level 2

What about path parameter? Actually my login functionality triggers only when user clicks on sign in link not when accessing any particular path. So in Sign in link i invoke /system/sling/login servlet which in turns invoke SAML handler.

Can you please elaborate considering my use case.

rajeevy89244319
Level 3
Level 3

In AEM, under you need to provide content path on which SAML authentication needs to be applied. Also, add the paths in SLing Authentication Service that should not be public and needs to undergo authentication.

srikanthp689160
Level 4
Level 4

Hi,

Our requirement is similar but when user moves onto other domain, user must not be asked to login again since IDP is same for both domains i.e. user is on a page with domain www.xyz.com and tries to navigate to www.xyz.co.uk user must not be asked to login again since already logged in and has access to co.uk as well. Is it possible? Are there any configurations required at IDP end to achieve this?

We are using Salesforce as Identity Provider.

Any suggestions would be really helpful.

Thanks,

Srikanth Pogula.