Feasibility of wildcard for Path - SAML Authentication Handler

srikanthp689160

11-09-2019

Hi,

We are trying to configure SAML Authentication Handler in publish instances so that content under private/secure folder can only be accessed after user logs in.

Private/Secure folders can be under multiple content paths for example /content/mycompany/abc/secure or /content/mycompany/xyz/secure or /content/mycompany/123/def/secure and so on.

Is there a feasibility to configure wildcard path for example /content/*/secure or if path contains secure or private, so that i need not list down all individual paths?

Any suggestions on this would be appreciated.

Thanks,

Srikanth

Accepted Solutions (1)

Accepted Solutions (1)

jbrar

Employee

12-09-2019

Adding (-/content/mycompany/abc/public) to the Apache Sling Authentication Service will exclude that page from authentication at all and SAML will not be triggered on those pages.

Basically,"Apache Sling Authentication Service" is the first layer of authentication that determines which content is allowed/denied and if the content is denied, requests are then routed to authentication handlers(OOTB Sling or SAML) depending on the setup.

Answers (4)

Answers (4)

srikanthp689160

12-09-2019

Thanks JaideepBrar,

Above approach seems to address my problem, however need to test all possible scenarios.

In Apache Sling Authentication Service, I have excluded public folders but allowed root content folder i.e. +/content/mycompany & -/content/mycompany/abc/public.

When I access any page under public folder, SAML handler is not triggered but for other pages I am asked to signin.

srikanthp689160

12-09-2019

Thanks for your response JaideepBrar and tanyakapila.

My problem statement is, we have multiple content folders and inside each such folder we are planning to have public and private/secure folders. For example, consider below folders

  1. /content/mycompany/abc/public
  2. /content/mycompany/abc/secure
  3. /content/mycompany/xyz/public
  4. /content/mycompany/xyz/secure

In the above scenario, when user tries to access pages under secure folder, user must be prompted for login whereas not required for public content. Will adding public folders in Apache Sling Authentication Service to exclude them(-/content/mycompany/abc/public) solve my problem?

I am going to try this and post my observations, but would like to get the above approach validated by you guys.

Thanks for the help.

tanyakapila

11-09-2019

Hi Srikanth,

As per my experience,it is not feasible to add wildcard in path folder.

If path: / then /saml_login is ACS endpoint.

If the path: /content then /content/saml_login is ACS endpoint.

Assertion Consumer Service (ACS) url is the endpoint in AEM that consumes SAML response which is set at IDP end.

Therefore , if we have wildcard in path we will not be able to fetch the exact ACS endpoint

jbrar

Employee

11-09-2019

As far as i can check this is not possible and you need to use multiple SAML configuration to achieve that. Explaination below:

  • SAML Handler in AEM will only be activated when it receives the IDP response at <AEM_HOST>/saml_login(Assuming path variable is set to "/")
  • saml_login is the servlet that processes the IDP response and creates users Or provides details about the failure.
  • Also, IDP destination URL is dependent on the path variable and changes when path variable is changed, example below:
    • <AEM_HOST>/saml_login when the path field is set to "/"
    • <AEM_HOST>/content/abc/saml_login when the path field is set to "/content/abc"

Check [1] for detailed explaination

[1] https://labs.tadigital.com/index.php/2017/10/10/saml-single-sign-on-sso-for-aem-authorpublish-part-2...