SAML Custom AuthenticationHandler Can't Get User Info

jetate

30-07-2020

I have SAML set up and working correctly. I am receiving and storing attributes from SAML into user profile nodes. 

I am currently using an AuthenticationInfoPostProcessor to turn the profile nodes into user groups however this process runs asynchronously to the AuthenticationHandler methods so new users which haven't had their groups set up are logged in before their groups can be set. When CUGs are enabled for the basic access group, the new users hit an error because they don't have authentication. The SAML process redirects the users to the page path they request, so they aren't all hitting a single page on login to process.

I have tried to set up a custom AuthenticationHandler which works on my local standard login where all logins are processed through /libs/granite/core/content/login.html/j_security_check, however on my SAML login, the POST to /content/saml isn't hitting the authenticationSucceeded method so my user isn't authenticated there. On other pages, when my user is successfully authenticated and my processor is called, there's no userID in the AuthenticationInfo so I can't process my user profile while delaying my login. 

Most of this was written by a consultant that I no longer have access to who told me to "examine the AuthenticationInfo object to see what all is there. The user ID should be available somewhere within that object." But I have no idea how I could do that when AuthenticationInfo.getUser() always returns null. 

This is what I'm doing to try to get the user. In the post processor, there were issues between non-SAML login and SAML login where the token was different so info.getUser() worked locally but not with the SAML login. In the AuthenticationHandler, SimpleCredentials works locally but if I try to just use that on the SAML login, I get a total failure.

String userId = null;
final Object user = info.get(JcrResourceConstants.AUTHENTICATION_INFO_CREDENTIALS);        
final Credentials credentials = user == null ? null : (Credentials) user;

if (credentials.getClass().getName() == TokenCredentials.class.getName()) {
    userId = info.getUser();
} else if (credentials.getClass().getName() == SimpleCredentials.class.getName()) {
    final SimpleCredentials sp = (SimpleCredentials) credentials;
    userId = sp.getUserID();
}

I really have no idea what else to try to get the user processed on login without hitting the error on the basic user permissions. To get around this for now, we've had to disable CUGs which isn't effective long term when we need to restrict access to some pages based on them.

Is there a way to delay the login until the PostProcessor has set the user groups or to get the user info in an AuthenticationHandler using SAML? Or is there a method that hasn't come up that could process my user profile details into groups without hitting an error on the base user group to allow CUGs to be enabled?

 

authenticationhadler SAML

Accepted Solutions (0)

Answers (2)

Answers (2)

Jörg_Hoh

Employee

30-07-2020

Hi,

 

isn't it possible to retrieve group membership information via the standards? From what I understand, the AEM SAML authentication can do that for you. Why do you rely on custom properties to extract group memberships from?

 

And actually the PostProcessors are invoked during the authentication, it is not running asynchronously. See https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/slin...

 

Jörg