SAML Authentication across multiple publish instances and user replication concern

Avatar

Avatar
Validate 1
Level 2
courtthreeGDC
Level 2

Likes

9 likes

Total Posts

42 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Give Back 10
View profile

Avatar
Validate 1
Level 2
courtthreeGDC
Level 2

Likes

9 likes

Total Posts

42 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Give Back 10
View profile
courtthreeGDC
Level 2

15-05-2019

Good evening AEM Team!

We have integrated Okta as the IDM for our AEM 6.2 website. We have done so using a fairly standard SAML configuration which has worked well. In our live/production environment we have two publish instances so we have been testing the integration across two publish environments.

We have enabled Encapsulated Token support on both instances and we have found that, in order for the encapsulated token to work, the associated user account must exist on both publish instances.

However, there is a short delay of approximately 1 second between user replication across both publish instances as the SAML Authentication Handler adds the new user and the Apache Sling Distribution Agents - Sync Agents Factory replicates it to the other publisher.

Consider a scenario where a new user is SAML-authenticated on Pub 1 but the saml_login handler redirects the same user to Pub 2 after authentication. If this happened quicker than the 1 (or so) second(s) it takes for the user to replicate across to the second publish instance the user may not be authenticated as they land on the page.

How do we avoid the 1 in 100 scenario where the user is redirected back to the SAML-protected page before their account is replicated to both publishers?

I assume this is a common concern/scenario and you guys will be able to advise accordingly. Thanks in advance!

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Establish
MVP
Nupur_Jain
MVP

Likes

165 likes

Total Posts

186 posts

Correct reply

76 solutions
Top badges earned
Establish
Ignite 1
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Establish
MVP
Nupur_Jain
MVP

Likes

165 likes

Total Posts

186 posts

Correct reply

76 solutions
Top badges earned
Establish
Ignite 1
Give Back 5
Give Back 3
Give Back 25
View profile
Nupur_Jain
MVP

17-07-2020

Hi

 

The scenario you mentioned is really one out of 100 scenario. You have done both the requirments to achieve this i.e Enabling Encapsulated token support and User Syncing. If you really want your setup to work 100%, you can go next with Dispatcher sticky session along with above you points.

 

Dispatcher sticky session would make sure to direct all your request to the same publish instance everytime and this scenrio wont take place.  You can refer https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/dispatcher-co... for enabling sticky session for particular paths.

 

This reply is late but hope it others who are facing similar issue.

 

Thanks!

Nupur

 

 

Answers (1)

Answers (1)

Avatar

Avatar
Give Back 5
Employee
Andrew_Khoury
Employee

Likes

75 likes

Total Posts

93 posts

Correct reply

33 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
Andrew_Khoury
Employee

Likes

75 likes

Total Posts

93 posts

Correct reply

33 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
Andrew_Khoury
Employee

17-07-2020

The only ways to avoid the issue:

1. Create a script to create the user nodes in AEM ahead of time

2. Enable sticky sessions on the load balancer so the user is always sent to the same AEM instance.