Expand my Community achievements bar.

SOLVED

Multiple Authentication handlers

Avatar

Level 2

Hi,

My use case is that I want to use different authentication handlers for different sites. We already have SAML integrated with an IDP for one site. But we also want to use the OOTB Login component to authenticate users in the AEM User list. Right now SAML overrides everything.

Any ideas?

Brumoon

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi,

In Sling, Authentication Handlers can be applied by path, so this is just a matter of configuring each Authentication Handler with the set of paths it should handle.

Regards,

Justin

View solution in original post

5 Replies

Avatar

Correct answer by
Employee

Hi,

In Sling, Authentication Handlers can be applied by path, so this is just a matter of configuring each Authentication Handler with the set of paths it should handle.

Regards,

Justin

Avatar

Level 1

Justin,
This was useful - the hint to configure Authentication Handler with the set of paths.

Since we are talking here about 1-to-n mapping (1 AEM instance to several IdP providers), I wonder how do we configure the AM instance with individual IdP information?

As per this post:
http://dev.day.com/content/docs/en/cq/current/core/administering/saml-2-0-authenticationhandler.html
IdP keys shoudl be stored in following locations:
/etc/key/saml/idp_cert
/etc/key/saml/public
/etc/key/saml/private

Where do we configure multiple IdP providers?
How does AEM learn about multiple IdP providers?

The goal here is to use one IdP provider for one Website and another IdP provider for second (different than the first one) Website.

Avatar

Level 2

Thanks Justin for the information. I am presuming you are referring to system/console/slingauth, to configure the path.

Another variation to my question is: What if I want a form login authentication to work? right now j_security_check gets overridden by the SAML authentication. How do I (or is there documentation on how to) create another customized (multiple) authentication suffix(es) to direct to multiple AEM Authentication Handler(s).

Avatar

Employee

No, I was referring to configuring the path for each authentication handler. /system/console/slingauth is a read only view of the configuration.

Avatar

Employee

Hi,

As you've noticed, the SAML Authentication Handler can effectively be used only against a single IDP because it relies on a common location for the certificates and keys. To be clear, the original post was about combining the SAML handler with a different handler.

If you need to connect to multiple IDPs, you will have to write your own SAML handler (presuamably extending the OOTB one) or work with Adobe support to get support for multiple IDPs added to the product.

Regards,

Justin