Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Need info AEM 6.2: Ability to extend SAML Authentication Handler for customizing user creation

Avatar

Level 1

Hi there,

We are currently using SAML authentication in our project. Expecting many users will be using the site after go-live. So lot of users would be created in AEM. We don't want to create lot of user nodes. Is there any way customize the default SAML authentication to stop creating new users and use a default AEM user after login. So there will not be much load on AEM. Please suggest.

Expectation: Use SAML without creating multiple users in AEM and impersonate with a default user to authenticate.

Thanks,

Praveen

1 Accepted Solution

Avatar

Correct answer by
Level 9

In that case use post processor & store the attribute information in cookie or some thing. Sample post processor example at Apoorva Ganapathy's Blog: AEM - Processing SAML Response

View solution in original post

5 Replies

Avatar

Level 9

Hi Praveen,

Check your idp support Impersonation for Federated Applications, if so configure that. Otherwise configure idp to pass an constant attribute with value of aem user & use that attribute name at userIDAttribute in saml configuration . No need to extend & will work out of the box.

Thanks,

Avatar

Level 1

Thanks MC for your suggestion. Currently, we are using Google as IDP. I will look at an option in Google SAML configuration to use any custom attribute. Also, we need the actual user information(eg email address, name.. ) as well after defaulting to an individual user.

Avatar

Correct answer by
Level 9

In that case use post processor & store the attribute information in cookie or some thing. Sample post processor example at Apoorva Ganapathy's Blog: AEM - Processing SAML Response

Avatar

Level 1

Hello Praveen,

Did Post Processor solved your issue?

We also want to avoid user creations and want to authenticate CRX with some impersonate user.At the same time we want to maintain the IDP provided user details in AEM session for further use.

We would like to know if we have to write Custom SAML Authentication Handler or writing Post Processor will suffice.

Thanks,

Sagar

Avatar

Level 2

Hi,

We have encountered similar issue. We have implemented CustomAuthenticationInfoPostProcessor , HttpServletRequest.pathInfo is null and  I can see

TokenAuthenticationHandler Extracted token information but

BearerAuthenticationHandler extractCredentials: Unable to extract an access token and

.AbstractLoginModule No credentials found

LoginContextProviderImpl Found pre-authenticated subject: No further login actions required.

 

I dont see the Post Processor getting further executed and its exited .

 

Can somebody suggest what might be going wrong