Multiple SAML Configurations on Same AEM 6.1 Instance

davidf46996755

16-10-2015

Hi All,

I have a business requirement where I need to protect 2 paths with different SAML configurations in AEM 6.1. Each path has a different level of security and different IDP login/logout URLs.

Additionally, if a user is logged in via path1 (SAML1 configuration) and attempts to access path2, then the user must be redirected to log in via SAML2 configuration. So there's 2 levels of security - and SAML challenges.

Problem 1: If the user logs in via SAML1, the SAML2 challenge is never triggered. The user can freely access content under path2. So AEM sees a login session and assumes everything's fine. It never consults the SAML authentication handler once a user logs in.

Problem 2: SAML logout doesn't work at all. From some other postings in the forum it seems that SAML logout only works if the configuration protects root (/). 

Can I make any of this behavior function with the existing SAML authentication handler in AEM 6.1?

What's the purpose of the multiple SAML configurations currently supported in AEM? It seems that multiple configurations are equivalent to a single configuration that protects multiple paths.

And can I nest the paths in different SAML configurations? For example, SAML1 protects /content/secure and SAML1 protects /content/secure/extra-secure.

I think I can probably solve (most of) these issues with some relatively minor customization but I'm wondering if I can make better use of the OOTB SAML features.

Thanks in advance for any advice.

David Frenkiel

View Entire Topic

gopal_agarwal

18-07-2018

Hi David,

We had similar requirement for multiple SAML config (AEM 6.3), but in my case only one config (latest modified) works, for other configs I get Invalid SAML token message. Can you please help me with multiple  SAML AEM config ( with different AEM path) working all together in one go.

17.07.2018 18:03:43.513 *DEBUG* [qtp329006843-3503] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

17.07.2018 18:04:05.844 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

17.07.2018 18:04:05.844 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".

17.07.2018 18:05:28.540 *DEBUG* [qtp329006843-3210] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

17.07.2018 18:05:30.119 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

17.07.2018 18:05:30.119 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".

17.07.2018 18:05:30.149 *DEBUG* [qtp329006843-3364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

17.07.2018 18:05:30.149 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

17.07.2018 18:05:30.149 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

17.07.2018 18:06:19.642 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document is invalid: no grammar found.

17.07.2018 18:06:19.642 *ERROR* [qtp329006843-3364] com.adobe.granite.auth.saml.util.SamlReader Document root element "saml2p:Response", must match DOCTYPE root "null".

17.07.2018 18:06:19.644 *DEBUG* [qtp329006843-3364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

17.07.2018 18:06:19.644 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

17.07.2018 18:06:19.644 *INFO* [qtp329006843-3364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_tok