Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Parallel authentication support for same site on AEM 6.1

sukumard5750513
Level 3
Level 3

Hi,

 

Our current project has AEM 6.1 in production with SAML authentication handler for user authentication. Also it has single site to serve for WEB, Mobile and Tablet (mobile responsive site).

 

Currently client wants to move to OAuth. But during migration , want to keep both SAML as well as OAuth for same site. i.e. if user access page1 on WEB do SAML authentication while when page1 access via Mobile do OAuth.

 

Please suggest whether its doable in AEM 6.1 if yes, any solution approach.

1 Accepted Solution
Andrew_Khoury
Correct answer by
Employee
Employee

Since there is no way to define which handler on the same path to trigger for authentication you would have to do some customization.

 

You could implement a custom servlet /bin/auth and configure the authentication handlers under subpaths of the servlet - for example /bin/auth/saml.  When the user accesses the AEM site via method requiring SAML then set a cookie to remember their original entry point and redirect to that servlet with a querystring saying which type of authentication.  For Example:

/bin/auth?type=saml

or

/bin/auth?type=oauth

Then redirect the user to the respective Auth Handler's path to trigger its normal authentication sequence (note that you should have stored a cookie remembering which page they started on before being redirected to /bin/auth?... so you could use that to send them back:

 

Auth handler OSGi configs:

 

SAML Handler "Path":

/bin/auth/saml

IDP would be configured with SAML Response to be sent to:

/bin/auth/saml/saml_login

 

OAuth Handler "Path":

/bin/auth/oauth

View solution in original post

3 Replies
aemmarc
Employee
Employee

Sure, authentication handlers register on paths you define, so you should be okay here.

 

P.S. Time to upgrade off 6.1

sukumard5750513
Level 3
Level 3

Thanks @aemmarc .

 

But as i mentioned we have single site structure, so each page have dual authentication handler and based on access point web or mobile or tablet, need to invoke handler accordingly.

 

Hence the need to invoke handler per access point (web, mobile) not per site structure.

 

Please suggest.

Andrew_Khoury
Correct answer by
Employee
Employee

Since there is no way to define which handler on the same path to trigger for authentication you would have to do some customization.

 

You could implement a custom servlet /bin/auth and configure the authentication handlers under subpaths of the servlet - for example /bin/auth/saml.  When the user accesses the AEM site via method requiring SAML then set a cookie to remember their original entry point and redirect to that servlet with a querystring saying which type of authentication.  For Example:

/bin/auth?type=saml

or

/bin/auth?type=oauth

Then redirect the user to the respective Auth Handler's path to trigger its normal authentication sequence (note that you should have stored a cookie remembering which page they started on before being redirected to /bin/auth?... so you could use that to send them back:

 

Auth handler OSGi configs:

 

SAML Handler "Path":

/bin/auth/saml

IDP would be configured with SAML Response to be sent to:

/bin/auth/saml/saml_login

 

OAuth Handler "Path":

/bin/auth/oauth

View solution in original post