Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Edit SAML SP Initiated Response

Avatar

Level 4

Hey everyone,

I'm working on a site that uses SAML for SSO and have run into a small snag with the IDP. The IDP requires some additional configuration that is not available in the OOTB SamlAuthenticationHandler. Namely, I need to modify the form that is sent back to the browser. The form sent back has some JavaScript and a form in it that sets the request-path cookie and POSTs the SAML AuthnRequest to the IDP. An example is:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <meta http-equiv='content-type' content='text/html; charset=utf-8' /> <title>POST data</title> <script> function setRequestPathCookies() { var requestPath = escape(document.location.pathname); var query = escape(document.location.search); if (query) requestPath += "?" + query; var hash = escape(document.location.hash.substring(1)); if (hash) document.cookie = "anchor_backup=" + hash + ";path=/;"; document.cookie = "saml_request_path=" + requestPath + ";path=/;"; } </script> </head> <body onload='setRequestPathCookies(); document.forms[0].submit();'> <noscript> <p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p> </noscript> <form method='post' action='https://IDP_URL.com/sso'> <input type='hidden' name='SAMLRequest' value='BASE64_SAML_AUTHN' /> <noscript> <input type='submit' value='Submit' /> </noscript> </form> </body> </html>

I need to know how to modify this form. I cannot find a template or any documentation on the subject. I have read all the SAML documentation and understand quite well how it works, and am just looking for some direction into where I can find the code that generates this file exactly so I can modify it. Any direction here is appreciated.

Thank you!

1 Accepted Solution

Avatar

Correct answer by
Level 9

jamiec4451712 wrote...

Thanks for the reply. The problem is that the IDP does not have a session store, so loses SP context during SP initiated authentication and cannot properly redirect the user to the consume URL. The solution is to urlencode the AuthnRequest and other parameters and place them in the query string. The simplest way to do this is to change that form from a POST to a GET. That simple change will solve our problems. Essentially, the IDP does not currently support SP initiated via POST. AEM does not provide an option to configure the request method used in that form. It seems foolish to rewrite the bundle to change 4 characters - I was hoping there was a more deliberate way to approach that change.

 

As you know Specification is there with purpose and you can't change POST to GET, If product do so it will go against spec and I am sure adobe will not go against spec and the implementation is correct.   There is product enhancement request already to support AuthnRequest   . You can file official feature pack support request to get that feature.  Another alternative is post process the response  http://apoorva-ganapathy.blogspot.com/2016/08/aem-processing-saml-response-using.html  Hope it helps you. 

View solution in original post

3 Replies

Avatar

Level 9

Hi Jamie,

It is part of PostResponse which is part of saml bundle[A].   You can;t extend unless you rewrite the complete bundle implementation though other workarounds are hack around which is not upgrade safe.   Unfortunately 6.2 onwards any anchor Or external setting of path not considered.         If you can explain the exact problem you are trying to achieve there might be better solution the community can share.

[A]  http://host:port/system/console/bundles/com.adobe.granite.auth.saml

Thanks,

Avatar

Level 4

Thanks for the reply. The problem is that the IDP does not have a session store, so loses SP context during SP initiated authentication and cannot properly redirect the user to the consume URL. The solution is to urlencode the AuthnRequest and other parameters and place them in the query string. The simplest way to do this is to change that form from a POST to a GET. That simple change will solve our problems. Essentially, the IDP does not currently support SP initiated via POST. AEM does not provide an option to configure the request method used in that form. It seems foolish to rewrite the bundle to change 4 characters - I was hoping there was a more deliberate way to approach that change.

Avatar

Correct answer by
Level 9

jamiec4451712 wrote...

Thanks for the reply. The problem is that the IDP does not have a session store, so loses SP context during SP initiated authentication and cannot properly redirect the user to the consume URL. The solution is to urlencode the AuthnRequest and other parameters and place them in the query string. The simplest way to do this is to change that form from a POST to a GET. That simple change will solve our problems. Essentially, the IDP does not currently support SP initiated via POST. AEM does not provide an option to configure the request method used in that form. It seems foolish to rewrite the bundle to change 4 characters - I was hoping there was a more deliberate way to approach that change.

 

As you know Specification is there with purpose and you can't change POST to GET, If product do so it will go against spec and I am sure adobe will not go against spec and the implementation is correct.   There is product enhancement request already to support AuthnRequest   . You can file official feature pack support request to get that feature.  Another alternative is post process the response  http://apoorva-ganapathy.blogspot.com/2016/08/aem-processing-saml-response-using.html  Hope it helps you.