Expand my Community achievements bar.

SOLVED

Parallel authentication support for same site on AEM 6.1

Avatar

Level 3

Hi,

 

Our current project has AEM 6.1 in production with SAML authentication handler for user authentication. Also it has single site to serve for WEB, Mobile and Tablet (mobile responsive site).

 

Currently client wants to move to OAuth. But during migration , want to keep both SAML as well as OAuth for same site. i.e. if user access page1 on WEB do SAML authentication while when page1 access via Mobile do OAuth.

 

Please suggest whether its doable in AEM 6.1 if yes, any solution approach.

1 Accepted Solution

Avatar

Correct answer by
Employee

Since there is no way to define which handler on the same path to trigger for authentication you would have to do some customization.

 

You could implement a custom servlet /bin/auth and configure the authentication handlers under subpaths of the servlet - for example /bin/auth/saml.  When the user accesses the AEM site via method requiring SAML then set a cookie to remember their original entry point and redirect to that servlet with a querystring saying which type of authentication.  For Example:

/bin/auth?type=saml

or

/bin/auth?type=oauth

Then redirect the user to the respective Auth Handler's path to trigger its normal authentication sequence (note that you should have stored a cookie remembering which page they started on before being redirected to /bin/auth?... so you could use that to send them back:

 

Auth handler OSGi configs:

 

SAML Handler "Path":

/bin/auth/saml

IDP would be configured with SAML Response to be sent to:

/bin/auth/saml/saml_login

 

OAuth Handler "Path":

/bin/auth/oauth

View solution in original post

3 Replies

Avatar

Employee

Sure, authentication handlers register on paths you define, so you should be okay here.

 

P.S. Time to upgrade off 6.1

Avatar

Level 3

Thanks @aemmarc .

 

But as i mentioned we have single site structure, so each page have dual authentication handler and based on access point web or mobile or tablet, need to invoke handler accordingly.

 

Hence the need to invoke handler per access point (web, mobile) not per site structure.

 

Please suggest.

Avatar

Correct answer by
Employee

Since there is no way to define which handler on the same path to trigger for authentication you would have to do some customization.

 

You could implement a custom servlet /bin/auth and configure the authentication handlers under subpaths of the servlet - for example /bin/auth/saml.  When the user accesses the AEM site via method requiring SAML then set a cookie to remember their original entry point and redirect to that servlet with a querystring saying which type of authentication.  For Example:

/bin/auth?type=saml

or

/bin/auth?type=oauth

Then redirect the user to the respective Auth Handler's path to trigger its normal authentication sequence (note that you should have stored a cookie remembering which page they started on before being redirected to /bin/auth?... so you could use that to send them back:

 

Auth handler OSGi configs:

 

SAML Handler "Path":

/bin/auth/saml

IDP would be configured with SAML Response to be sent to:

/bin/auth/saml/saml_login

 

OAuth Handler "Path":

/bin/auth/oauth