Expand my Community achievements bar.

SOLVED

Multiple SAML Configurations on Same AEM 6.1 Instance

Avatar

Level 3

Hi All,

I have a business requirement where I need to protect 2 paths with different SAML configurations in AEM 6.1. Each path has a different level of security and different IDP login/logout URLs.

Additionally, if a user is logged in via path1 (SAML1 configuration) and attempts to access path2, then the user must be redirected to log in via SAML2 configuration. So there's 2 levels of security - and SAML challenges.

Problem 1: If the user logs in via SAML1, the SAML2 challenge is never triggered. The user can freely access content under path2. So AEM sees a login session and assumes everything's fine. It never consults the SAML authentication handler once a user logs in.

Problem 2: SAML logout doesn't work at all. From some other postings in the forum it seems that SAML logout only works if the configuration protects root (/). 

Can I make any of this behavior function with the existing SAML authentication handler in AEM 6.1?

What's the purpose of the multiple SAML configurations currently supported in AEM? It seems that multiple configurations are equivalent to a single configuration that protects multiple paths.

And can I nest the paths in different SAML configurations? For example, SAML1 protects /content/secure and SAML1 protects /content/secure/extra-secure.

I think I can probably solve (most of) these issues with some relatively minor customization but I'm wondering if I can make better use of the OOTB SAML features.

Thanks in advance for any advice.

David Frenkiel

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi David,

if a user authenticated via SAML1 does not have the correct privileges to see content protected by SAML2, then irrespective of how they were authenticated, they shouldn't see that content. Have you set up the appropriate group level privileges on path1 and path2?

Regards,

Opkar

View solution in original post

6 Replies

Avatar

Correct answer by
Employee

Hi David,

if a user authenticated via SAML1 does not have the correct privileges to see content protected by SAML2, then irrespective of how they were authenticated, they shouldn't see that content. Have you set up the appropriate group level privileges on path1 and path2?

Regards,

Opkar

Avatar

Level 3

Thanks, Opkar.

Unfortunately the same user can have access to both areas. That's really the main complication here.

A user can have access (via group membership) to both paths. But they still need to authenticate a second time when accessing a SAML2 path

Avatar

Level 1

Hi David

I am similar requirement like yours where i have two SAML configurations, same user can have access to both areas but they still need to authenticate a second time when accessing a SAML2 path.

If you remember the steps could you please help me out for the same.

Thanks in advance

Laxman Kumar

Avatar

Level 3

Hi Kumar,

We ultimately abandoned this requirement but we did manage to get something working.

We created a custom authentication handler by extending SamlAuthenticationHandler. In extractCredentials() we explicitly check the request path and the user's group membership and return FAIL_AUTH if we need to force authentication.

import com.adobe.granite.auth.saml.SamlAuthenticationHandler;

...

public class CustomSamlAuthenticationHandler extends SamlAuthenticationHandler {

   

    @Override

    public AuthenticationInfo extractCredentials(HttpServletRequest request, HttpServletResponse response) {

        ...

        if (!authenticatedForTheRequestedPath) {

            return AuthenticationInfo.FAIL_AUTH;

        }

        ...

    }

    ...

}

This worked with AEM 6.1. I haven't tried it with AEM 6.3/6.4.

David

Avatar

Level 2

Hi David,

We had similar requirement for multiple SAML config (AEM 6.3), but in my case only one config (latest modified) works, for other configs I get Invalid SAML token message. Can you please help me with multiple  SAML AEM config ( with different AEM path) working all together in one go.

17.07.2018 18:03:43.513 *DEBUG* [qtp329006843-3503] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

17.07.2018 18:04:05.844 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

17.07.2018 18:04:05.844 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".

17.07.2018 18:05:28.540 *DEBUG* [qtp329006843-3210] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

17.07.2018 18:05:30.119 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

17.07.2018 18:05:30.119 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".

17.07.2018 18:05:30.149 *DEBUG* [qtp329006843-3364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

17.07.2018 18:05:30.149 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

17.07.2018 18:05:30.149 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

17.07.2018 18:06:19.642 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

17.07.2018 18:06:19.642 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".

17.07.2018 18:06:19.644 *DEBUG* [qtp329006843-3364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

17.07.2018 18:06:19.644 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

17.07.2018 18:06:19.644 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_tok

Avatar

Level 2

Did you find a solution for this? I have the same issue in 6.4