Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

SAML configuration for multiple websites on same AEM 6.1 SP2 instance

Avatar

Level 3

Hi all,

As per the business requirement, I am working on providing login functionality for multiple websites on same AEM 6.1 SP2 Instance. We already have a website which is configured with an IDP and SPID accordingly. Now that there are few more websites added to the same instance, we are in a process of providing login functionality for them. We have a single IDP and multiple SPID's with respective rankings for the websites. So upon creation of multiple SAML Configurations, the handler picks up the highest ranking configuration and processes it, for whatever the website it is with the "Path" configured to "/" for all the SAML configurations. Is there a way for us to say that www.aaa.com has to use SAML handler 1, www.bbb.com has to use SAML handler 2? Or is it something which we need to extend the existing SAML auth handler for doing it so?

My requirement is something near to this topic: Multiple Domains and SAML

Have followed the below mentioned forum threads, but no luck in getting through. Please suggest

Multiple SAML Configurations on Same AEM 6.1 Instance

Multiple Authentication handlers

AEM integration with multiple identity provider

Thanks,

Arvind

1 Accepted Solution

Avatar

Correct answer by
Level 4

We can handle multiple domain login with OOB adobe saml configuration itself. No need of custom handler.
Just make sure that the "path" property in the saml configuration should match with assertion consumer URL in IDP side.

Eg :  if we have two domains www.abc.com with root path /content/abc and www.xyz.com with /content/xyz, then in the saml configuration for www.abc.com path should be conifgured as /content/abc and assertion consumer URL should be as https://www.abc.com/content/abc/saml_login and configure the other domain in similar way. Also configure the default redirect url for both domains as required.

View solution in original post

5 Replies

Avatar

Level 10

We have a SAML article here -- Integrating SAML with Adobe Experience Manager

For multiple ones - looks like you are correct - a custom handler is needed.

Avatar

Employee

Why have "/" configured as the path for all of them.  To avoid having to do some special handling you could have each handler configured with "Path" pointing to the site (e.g. for the www.aaa.com handler the Path field would be /content/aaa).  Then when the user goes to the site (they should be visiting /content/aaa anyway), they would get sent to the correct IDP for login.

Avatar

Level 3

Hi Andrew,

Upon changing the the path to "/content/aaa" and "/content/bbb" it still picks up the highest ranking SAML configuration for all the websites login. As I said, its single IDP and multiple SPID's in our scenario.


Thanks,
Arvind

Avatar

Correct answer by
Level 4

We can handle multiple domain login with OOB adobe saml configuration itself. No need of custom handler.
Just make sure that the "path" property in the saml configuration should match with assertion consumer URL in IDP side.

Eg :  if we have two domains www.abc.com with root path /content/abc and www.xyz.com with /content/xyz, then in the saml configuration for www.abc.com path should be conifgured as /content/abc and assertion consumer URL should be as https://www.abc.com/content/abc/saml_login and configure the other domain in similar way. Also configure the default redirect url for both domains as required.

Avatar

Level 4

Hi,

Our requirement is similar but when user moves onto other domain, user must not be asked to login again since IDP is same for both domains i.e. user is on a page with domain www.xyz.com and tries to navigate to www.xyz.co.uk user must not be asked to login again since already logged in and has access to co.uk as well. Is it possible? Are there any configurations required at IDP end to achieve this?

We are using Salesforce as Identity Provider.

Any suggestions would be really helpful.

Thanks,

Srikanth Pogula.