Hi All,
I have a business requirement where I need to protect 2 paths with different SAML configurations in AEM 6.1. Each path has a different level of security and different IDP login/logout URLs.
Additionally, if a user is logged in via path1 (SAML1 configuration) and attempts to access path2, then the user must be redirected to log in via SAML2 configuration. So there's 2 levels of security - and SAML challenges.
Problem 1: If the user logs in via SAML1, the SAML2 challenge is never triggered. The user can freely access content under path2. So AEM sees a login session and assumes everything's fine. It never consults the SAML authentication handler once a user logs in.
Problem 2: SAML logout doesn't work at all. From some other postings in the forum it seems that SAML logout only works if the configuration protects root (/).
Can I make any of this behavior function with the existing SAML authentication handler in AEM 6.1?
What's the purpose of the multiple SAML configurations currently supported in AEM? It seems that multiple configurations are equivalent to a single configuration that protects multiple paths.
And can I nest the paths in different SAML configurations? For example, SAML1 protects /content/secure and SAML1 protects /content/secure/extra-secure.
I think I can probably solve (most of) these issues with some relatively minor customization but I'm wondering if I can make better use of the OOTB SAML features.
Thanks in advance for any advice.
David Frenkiel
Solved! Go to Solution.
Views
Replies
Total Likes
Hi David,
if a user authenticated via SAML1 does not have the correct privileges to see content protected by SAML2, then irrespective of how they were authenticated, they shouldn't see that content. Have you set up the appropriate group level privileges on path1 and path2?
Regards,
Opkar
Views
Replies
Total Likes
Hi David,
if a user authenticated via SAML1 does not have the correct privileges to see content protected by SAML2, then irrespective of how they were authenticated, they shouldn't see that content. Have you set up the appropriate group level privileges on path1 and path2?
Regards,
Opkar
Views
Replies
Total Likes
Thanks, Opkar.
Unfortunately the same user can have access to both areas. That's really the main complication here.
A user can have access (via group membership) to both paths. But they still need to authenticate a second time when accessing a SAML2 path.
Views
Replies
Total Likes
Hi David
I am similar requirement like yours where i have two SAML configurations, same user can have access to both areas but they still need to authenticate a second time when accessing a SAML2 path.
If you remember the steps could you please help me out for the same.
Thanks in advance
Laxman Kumar
Views
Replies
Total Likes
Hi Kumar,
We ultimately abandoned this requirement but we did manage to get something working.
We created a custom authentication handler by extending SamlAuthenticationHandler. In extractCredentials() we explicitly check the request path and the user's group membership and return FAIL_AUTH if we need to force authentication.
import com.adobe.granite.auth.saml.SamlAuthenticationHandler;
...
public class CustomSamlAuthenticationHandler extends SamlAuthenticationHandler {
@Override
public AuthenticationInfo extractCredentials(HttpServletRequest request, HttpServletResponse response) {
...
if (!authenticatedForTheRequestedPath) {
return AuthenticationInfo.FAIL_AUTH;
}
...
}
...
}
This worked with AEM 6.1. I haven't tried it with AEM 6.3/6.4.
David
Views
Replies
Total Likes
Hi David,
We had similar requirement for multiple SAML config (AEM 6.3), but in my case only one config (latest modified) works, for other configs I get Invalid SAML token message. Can you please help me with multiple SAML AEM config ( with different AEM path) working all together in one go.
17.07.2018 18:03:43.513 *DEBUG* [qtp329006843-3503] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
17.07.2018 18:04:05.844 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.
17.07.2018 18:04:05.844 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".
17.07.2018 18:05:28.540 *DEBUG* [qtp329006843-3210] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
17.07.2018 18:05:30.119 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.
17.07.2018 18:05:30.119 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".
17.07.2018 18:05:30.149 *DEBUG* [qtp329006843-3364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
17.07.2018 18:05:30.149 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
17.07.2018 18:05:30.149 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
17.07.2018 18:06:19.642 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.
17.07.2018 18:06:19.642 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".
17.07.2018 18:06:19.644 *DEBUG* [qtp329006843-3364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
17.07.2018 18:06:19.644 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
17.07.2018 18:06:19.644 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_tok
Views
Replies
Total Likes
Did you find a solution for this? I have the same issue in 6.4
Views
Replies
Total Likes