Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Custom login and Stateless session for SAML integrated AEM

Avatar

Level 2

Hi All,

I have a design where Mobile app(written in angular 6) interacting with AEM (which is SAML integrated) to get the fragments from AEM.

What is happening?

When Mobile app is authenticating an user on AEM which redirects SAML login page for user and in turn AEM returns login token to Mobile app after successful authentication from SAML(site minder).

Then we have to write custom login handler to handle this session and along with this we need to store some data in same session.

Here are  my two questions?

1) How to write custom login handler to handle this session for SAML integrated AEM?

2) My session which I assume is state full, I want it to be stateless session. Please let me know 2 things here first how to change it to stateless and second

how to find whether a session is state full or state less session?

One more information will help me whats the basic diff between these two from design perspective (Stateless and Stat full).. I am aware about encapsulated token approach.

feike_visser

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi,

ok, in that case it hasn't anything to do with SAML, but you need to store some data in a server-side session (which happens to belong to an authenticated user).

a session of 72h is quite long, and I would not allow such long HTTP sessions; you might want to create some dedicated sessionStore outside of AEM, which can hold this data.

View solution in original post

5 Replies

Avatar

Employee Advisor

Hi,

at the moment it is not clear to me if the authentication is already working for you as you described. Can you please confirm? You should not need to write a custom login functionality using SAML (it's there ootb in product).

Regarding to your second question: AEM knows nothing about your user object in the first place, it just has a SAML token (cookie); and it does not need to maintain a persistent state (session) to work with it.

Jörg

Avatar

Level 2

First Point:

I understand that it is OOTB to handle session but I have a use case where we need to store some data in current session(SAML authenticated session) and send login token + data back to Mobile application which is called to AEM.

For second point:

Scenario: Mobile app opens a session with AEM and session timeout is for 72 hours in Mobile.But in AEM we do not want to keep session open for so long.

So wanted to know how to handle this scenario.

Avatar

Correct answer by
Employee Advisor

Hi,

ok, in that case it hasn't anything to do with SAML, but you need to store some data in a server-side session (which happens to belong to an authenticated user).

a session of 72h is quite long, and I would not allow such long HTTP sessions; you might want to create some dedicated sessionStore outside of AEM, which can hold this data.

Avatar

Level 2

Thanks for the clarification.

One more info I need how to write custom login handler for AEM 6.4

I am struggling a bit for this.

Avatar

Employee Advisor

Regarding Login Handler: Maybe Apache Sling :: Authentication  can be helpful, it covers a broad range of topics in the area of authentiation and login. But if you have a SAML login, you should not have to write something on your own.

Jörg