Feasibility of wildcard for Path - SAML Authentication Handler | Community
Skip to main content
srikanthp689160
srikanthp689160
Level 4
September 11, 2019
Solved

Feasibility of wildcard for Path - SAML Authentication Handler

  • September 11, 2019
  • 5 replies
  • 3760 views

Hi,

We are trying to configure SAML Authentication Handler in publish instances so that content under private/secure folder can only be accessed after user logs in.

Private/Secure folders can be under multiple content paths for example /content/mycompany/abc/secure or /content/mycompany/xyz/secure or /content/mycompany/123/def/secure and so on.

Is there a feasibility to configure wildcard path for example /content/*/secure or if path contains secure or private, so that i need not list down all individual paths?

Any suggestions on this would be appreciated.

Thanks,

Srikanth

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by user05162

Adding (-/content/mycompany/abc/public) to the Apache Sling Authentication Service will exclude that page from authentication at all and SAML will not be triggered on those pages.

Basically,"Apache Sling Authentication Service" is the first layer of authentication that determines which content is allowed/denied and if the content is denied, requests are then routed to authentication handlers(OOTB Sling or SAML) depending on the setup.

5 replies

U
Adobe Employee
user05162Adobe Employee
Adobe Employee
September 11, 2019

As far as i can check this is not possible and you need to use multiple SAML configuration to achieve that. Explaination below:

  • SAML Handler in AEM will only be activated when it receives the IDP response at <AEM_HOST>/saml_login(Assuming path variable is set to "/")
  • saml_login is the servlet that processes the IDP response and creates users Or provides details about the failure.
  • Also, IDP destination URL is dependent on the path variable and changes when path variable is changed, example below:
    • <AEM_HOST>/saml_login when the path field is set to "/"
    • <AEM_HOST>/content/abc/saml_login when the path field is set to "/content/abc"

Check [1] for detailed explaination

[1] https://labs.tadigital.com/index.php/2017/10/10/saml-single-sign-on-sso-for-aem-authorpublish-part-2/

K
Adobe Employee
kapilaAdobe Employee
Adobe Employee
September 12, 2019

Hi Srikanth,

As per my experience,it is not feasible to add wildcard in path folder.

If path: / then /saml_login is ACS endpoint.

If the path: /content then /content/saml_login is ACS endpoint.

Assertion Consumer Service (ACS) url is the endpoint in AEM that consumes SAML response which is set at IDP end.

Therefore , if we have wildcard in path we will not be able to fetch the exact ACS endpoint

srikanthp689160
srikanthp689160Author
Level 4
September 12, 2019

Thanks for your response JaideepBrar and tanyakapila.

My problem statement is, we have multiple content folders and inside each such folder we are planning to have public and private/secure folders. For example, consider below folders

  1. /content/mycompany/abc/public
  2. /content/mycompany/abc/secure
  3. /content/mycompany/xyz/public
  4. /content/mycompany/xyz/secure

In the above scenario, when user tries to access pages under secure folder, user must be prompted for login whereas not required for public content. Will adding public folders in Apache Sling Authentication Service to exclude them(-/content/mycompany/abc/public) solve my problem?

I am going to try this and post my observations, but would like to get the above approach validated by you guys.

Thanks for the help.

U
Adobe Employee
user05162Adobe EmployeeAccepted solution
Adobe Employee
September 12, 2019

Adding (-/content/mycompany/abc/public) to the Apache Sling Authentication Service will exclude that page from authentication at all and SAML will not be triggered on those pages.

Basically,"Apache Sling Authentication Service" is the first layer of authentication that determines which content is allowed/denied and if the content is denied, requests are then routed to authentication handlers(OOTB Sling or SAML) depending on the setup.

srikanthp689160
srikanthp689160Author
Level 4
September 12, 2019

Thanks JaideepBrar,

Above approach seems to address my problem, however need to test all possible scenarios.

In Apache Sling Authentication Service, I have excluded public folders but allowed root content folder i.e. +/content/mycompany & -/content/mycompany/abc/public.

When I access any page under public folder, SAML handler is not triggered but for other pages I am asked to signin.

Terms & ConditionsAccessibility statement

Loading footer...