Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

OOTB SSO authentication not working

Avatar

Level 6

I am testing SSO authentication on 5.6.1 on author instance and installed these hot fixes which are related to authentication: 3645, 3707. I am giving user information as request parameter(http://localhost:4502/siteadmin?userid=testuser). I modified repository.xml as follows- 

<LoginModule class="com.day.crx.core.CRXLoginModule">
            <param name="trust_credentials_attribute" value="TrustedInfo"/>
            <param name="anonymous_principal" value="anonymous"/>
        </LoginModule>

and have configured SSO authentication handler as attached. Now when I am hitting this URL (http://localhost:4502/siteadmin?userid=testuser) then it is giving blank page as I could see there are 403 errors are coming. Error.log - 

08.05.2014 21:33:58.888 *WARN* [0:0:0:0:0:0:0:1 [1399565038886] GET /siteadmin?userid=testuser HTTP/1.1] org.apache.jackrabbit.core.security.authentication.AbstractLoginModule Usage of deprecated 'trust_credentials_attribute' option. Please note that for security reasons this feature will notbe supported in future releases.
08.05.2014 21:33:59.021 *INFO* [0:0:0:0:0:0:0:1 [1399565039020] GET /libs/mcm/emailservice-clientlib.css HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
08.05.2014 21:33:59.022 *INFO* [0:0:0:0:0:0:0:1 [1399565039022] GET /etc/clientlibs/foundation/jquery.js HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

I do see that testuser was logged in to crx repository but after subsequent calls of different css/js file, sling is assuming that this user is Anonymous user instead of "testuser".  What my understanding is that SSOauthentication handler is not able to create token from request parameter during subsequent calls(http://localhost:5502/libs/cq/ui/widgets.js for example)  as request parameter is not avaialble. Token authentication seems not working when SSO authentication handler works. 

I would really appriciate if you could tell me that understand is correct or I am missing something and will it work if I use http header/cookie approach?

Regards,

Sam

1 Accepted Solution

Avatar

Correct answer by
Level 2

against which domain is your user getting authenticated ? it's not clear .. 

is your custom authentication handler showing up in http://localhost:4502/system/console/slingauth#

Have you created your user in CQ and added the user to group which has content permissions ? 

OTB Access permissions are very limited .. you will have to check this .. 

View solution in original post

2 Replies

Avatar

Correct answer by
Level 2

against which domain is your user getting authenticated ? it's not clear .. 

is your custom authentication handler showing up in http://localhost:4502/system/console/slingauth#

Have you created your user in CQ and added the user to group which has content permissions ? 

OTB Access permissions are very limited .. you will have to check this .. 

Avatar

Level 6

I've tested SSO with cookie based approach, everything is working fine except when I tried to make cookie secure then AEM is displaying login page. 

My code which is running on Tomcat:

 protected void doPost(HttpServletRequest req,HttpServletResponse res)throws ServletException,IOException
    {

          String newUrl = "http://localhost:4502/siteadmin";
            Cookie cookie=new Cookie("REMOTE_USER",user);
            cookie.setPath("/");
            cookie.setHttpOnly(true);
            cookie.setSecure(true); // If I remove this then SSO works
            res.addCookie(cookie);
            res.sendRedirect(newUrl);

}

Kindly let me know what could be the issue with secure cookie based SSO authentication.