Hi Team,
We have configured OKTA SAML for our project content directory /content/xyz and enabled auth_checker for all the secured pages in AEM (AEM as a Cloud Service) by following the below documentation :
https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...
https://www.danklco.com/posts/2021/04/saml-authentication-aem-permissions-sensitive-caching.html
We enabled dispatcher caching and disabled CDN caching for secured content.
So, In new session when we hit the page URL directly in browser for first time (no cache) it's redirecting to OKTA page correctly but when the file is already in cache and if we hit that page URL in browser it's trying to invoke auth_checker service (/bin/auth/permissioncheck.html) with the SAML enabled url path.
Since user is anonymous user it's redirecting to forbidden page (403 ) instead of OKTA redirect.
When I exclude auth_checker path (/bin/auth/permissioncheck.html)) in Sling Authenticator , this 403 redirection is happening.
org.apache.sling.engine.impl.auth.SlingAuthenticator.cfg.json
If I include auth checker path in in Sling Authenticator and page is cached , then page request is going to 404 with below error
/libs/granite/core/content/login.html?resource=%2Fbin%%2Fauthcheck%3Furi%3D%2Fcontent%2Fxyz%2Fen-us%2Fcollections%2Fall-products%2abc.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown
In summary, When content is cached in Dispatcher , the page request has issues in below 2 scenarios.
1. If I include auth checker path in Sling Authenticator, --------->404
2. If I exclude auth checker path in Sling Authenticator, --------->403
What should we in this scenario.
Expectation:
if Page is cached and active session is not there , then the new request to AEM page should redirect to OKTA page instead of 403 or 404.
Any idea /suggestions on this issue.
CC: @kautuk_sahni @Jörg_Hoh @arunpatidar @aanchal_sikka
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
Hi @Rudra-2024
Auth check servlet will be called for all the request if file is cached and rules are matched.
Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher.
Hi,
You need to create your own servlet instedaof relying on /bin/auth/permissioncheck.html
1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.
2. If user is logged in but does not have permission to access the page then your serve 403
Hi Arun, Thanks for the response.
Yes. I have my own servlet. For security sake I didn't mention actual path in question( it is like /bin/auth/xx/yy/authcheck)
1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.
Am checking the user status and user is anonymous ( means not logged in). I can redirect to login/Okta page here.
My doubt is auth check servlet should not gets called if the user is not logged-in
2. If user is logged in but does not have permission to access the page then your serve 403
yes. It is taken care in servlet and working as expected
@Rudra-2024 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Views
Replies
Total Likes
My doubt/Question is not cleared yet.
Question: Auth check servlet should not gets called if the user is not logged-in .
Is it possible with any configuration ( like sling authenticator or dispatcher configs)
Hi @Rudra-2024
Auth check servlet will be called for all the request if file is cached and rules are matched.
Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher.
I felt the same @arunpatidar . But, I thought there will be an option in dispatcher based on request headers or cookies. Seems we have to write the logic in auth check servlet it self.
Thanks for the response and /confirmation
Views
Likes
Replies
Views
Likes
Replies