As per the business requirement, I am working on providing login functionality for multiple websites on same AEM 6.1 SP2 Instance. We already have a website which is configured with an IDP and SPID accordingly. Now that there are few more websites added to the same instance, we are in a process of providing login functionality for them. We have a single IDP and multiple SPID's with respective rankings for the websites. So upon creation of multiple SAML Configurations, the handler picks up the highest ranking configuration and processes it, for whatever the website it is with the "Path" configured to "/" for all the SAML configurations. Is there a way for us to say that www.aaa.com has to use SAML handler 1, www.bbb.com has to use SAML handler 2? Or is it something which we need to extend the existing SAML auth handler for doing it so?
We can handle multiple domain login with OOB adobe saml configuration itself. No need of custom handler. Just make sure that the "path" property in the saml configuration should match with assertion consumer URL in IDP side.
Eg : if we have two domains www.abc.com with root path /content/abc and www.xyz.com with /content/xyz, then in the saml configuration for www.abc.com path should be conifgured as /content/abc and assertion consumer URL should be as https://www.abc.com/content/abc/saml_login and configure the other domain in similar way. Also configure the default redirect url for both domains as required.
Our requirement is similar but when user moves onto other domain, user must not be asked to login again since IDP is same for both domains i.e. user is on a page with domain www.xyz.com and tries to navigate to www.xyz.co.uk user must not be asked to login again since already logged in and has access to co.uk as well. Is it possible? Are there any configurations required at IDP end to achieve this?
Upon changing the the path to "/content/aaa" and "/content/bbb" it still picks up the highest ranking SAML configuration for all the websites login. As I said, its single IDP and multiple SPID's in our scenario.
Why have "/" configured as the path for all of them. To avoid having to do some special handling you could have each handler configured with "Path" pointing to the site (e.g. for the www.aaa.com handler the Path field would be /content/aaa). Then when the user goes to the site (they should be visiting /content/aaa anyway), they would get sent to the correct IDP for login.