Adobe Experience Manager Sites & More

Hi Kunwar​

We are also trying to configure multiple domains with single IDP. Since we have multiple domains and IDP should redirect to URL corresponding to that domain once authenticated so we have configured multiple SAML authentication handler configurations. Each authentication handler is having different SP ID. IDP is trying to redirect to appropriate domain with /saml_login post authentication. But the issue with  multiple configurations we are facing is that second entry starts throwing below error:

09.01.2019 05:51:40.284 *DEBUG* [qtp1545571589-536241] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.

09.01.2019 05:51:40.301 *INFO* [qtp1545571589-536241] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

When keep only 1 of these entries it works fine. This issue is happening only when we have more than 1 entry and 1st entry works fine while second throws this error.

Can you please suggest on how to handle this.

Hi rajeevy89244319​

Can you make sure that the "path" property in the saml configuration is matching with assertion consumer URL in IDP side.

Eg :  if we have two domains www.abc.com with root path /content/abc and www.xyz.com with /content/xyz, then in the saml configuration for www.abc.com path should be conifgured as /content/abc and assertion consumer URL should be as https://www.abc.com/content/abc/saml_login and configure the other domain in similar way. Also configure the default redirect url for both domains as required.

Hi anushap40132887,

I forgot to update on the this thread. I was able to find the solution and it is exactly what you have mentioned in your Comment.  Endpoint URLS need to have full content path before /saml_login even if the path is shortened on actual website.

Thanks,
Rajeev

Hi Rajeev,

My problem statement is same as of anushap40132887​.

Till now i had only one domain e.g. www.abc.com  configured in my AEM instance so i have configured path as "/" in my SAML configuration and assertion url as www.abc.com/saml_login. So whenever I access /system/sling/login it was redirecting to IDP and post authentication it was rendering back to www.abc.com.

Now I need to setup say www.xyz.com domain on same AEM instane with same IDP, so i have made two SAML configuration but it is always picking first one. Even if i make request from xyz.com, but it picks first SAML configuration and send request from abc.com.

Early response is much appreciated.

Thanks,

Ashish

Hi ashish,

Please use full content urls in endpoint setup. eg.  https://www.demo.com/content/abc/test/saml_login

What about path parameter? Actually my login functionality triggers only when user clicks on sign in link not when accessing any particular path. So in Sign in link i invoke /system/sling/login servlet which in turns invoke SAML handler.

Can you please elaborate considering my use case.

In AEM, under you need to provide content path on which SAML authentication needs to be applied. Also, add the paths in SLing Authentication Service that should not be public and needs to undergo authentication.

Hi,

Our requirement is similar but when user moves onto other domain, user must not be asked to login again since IDP is same for both domains i.e. user is on a page with domain www.xyz.com and tries to navigate to www.xyz.co.uk user must not be asked to login again since already logged in and has access to co.uk as well. Is it possible? Are there any configurations required at IDP end to achieve this?

We are using Salesforce as Identity Provider.

Any suggestions would be really helpful.

Thanks,

Srikanth Pogula.