Expand my Community achievements bar.

SOLVED

Feasibility of wildcard for Path - SAML Authentication Handler

Avatar

Level 4
Level 4
9/11/19 11:59:54 AM

Hi,

We are trying to configure SAML Authentication Handler in publish instances so that content under private/secure folder can only be accessed after user logs in.

Private/Secure folders can be under multiple content paths for example /content/mycompany/abc/secure or /content/mycompany/xyz/secure or /content/mycompany/123/def/secure and so on.

Is there a feasibility to configure wildcard path for example /content/*/secure or if path contains secure or private, so that i need not list down all individual paths?

Any suggestions on this would be appreciated.

Thanks,

Srikanth

Views

3.1K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
9/12/19 8:48:41 AM

Adding (-/content/mycompany/abc/public) to the Apache Sling Authentication Service will exclude that page from authentication at all and SAML will not be triggered on those pages.

Basically,"Apache Sling Authentication Service" is the first layer of authentication that determines which content is allowed/denied and if the content is denied, requests are then routed to authentication handlers(OOTB Sling or SAML) depending on the setup.

View solution in original post

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Employee Advisor
Employee Advisor
9/11/19 12:50:45 PM

As far as i can check this is not possible and you need to use multiple SAML configuration to achieve that. Explaination below:

  • SAML Handler in AEM will only be activated when it receives the IDP response at <AEM_HOST>/saml_login(Assuming path variable is set to "/")
  • saml_login is the servlet that processes the IDP response and creates users Or provides details about the failure.
  • Also, IDP destination URL is dependent on the path variable and changes when path variable is changed, example below:
    • <AEM_HOST>/saml_login when the path field is set to "/"
    • <AEM_HOST>/content/abc/saml_login when the path field is set to "/content/abc"

Check [1] for detailed explaination

[1] https://labs.tadigital.com/index.php/2017/10/10/saml-single-sign-on-sso-for-aem-authorpublish-part-2...

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
9/11/19 11:16:33 PM

Hi Srikanth,

As per my experience,it is not feasible to add wildcard in path folder.

If path: / then /saml_login is ACS endpoint.

If the path: /content then /content/saml_login is ACS endpoint.

Assertion Consumer Service (ACS) url is the endpoint in AEM that consumes SAML response which is set at IDP end.

Therefore , if we have wildcard in path we will not be able to fetch the exact ACS endpoint

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
9/12/19 8:36:16 AM

Thanks for your response JaideepBrar and tanyakapila.

My problem statement is, we have multiple content folders and inside each such folder we are planning to have public and private/secure folders. For example, consider below folders

  1. /content/mycompany/abc/public
  2. /content/mycompany/abc/secure
  3. /content/mycompany/xyz/public
  4. /content/mycompany/xyz/secure

In the above scenario, when user tries to access pages under secure folder, user must be prompted for login whereas not required for public content. Will adding public folders in Apache Sling Authentication Service to exclude them(-/content/mycompany/abc/public) solve my problem?

I am going to try this and post my observations, but would like to get the above approach validated by you guys.

Thanks for the help.

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
9/12/19 8:48:41 AM

Adding (-/content/mycompany/abc/public) to the Apache Sling Authentication Service will exclude that page from authentication at all and SAML will not be triggered on those pages.

Basically,"Apache Sling Authentication Service" is the first layer of authentication that determines which content is allowed/denied and if the content is denied, requests are then routed to authentication handlers(OOTB Sling or SAML) depending on the setup.

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
9/12/19 1:13:27 PM

Thanks JaideepBrar,

Above approach seems to address my problem, however need to test all possible scenarios.

In Apache Sling Authentication Service, I have excluded public folders but allowed root content folder i.e. +/content/mycompany & -/content/mycompany/abc/public.

When I access any page under public folder, SAML handler is not triggered but for other pages I am asked to signin.

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate