Highlighted

SAML Custom AuthenticationHandler Can't Get User Info

jetate

30-07-2020

I have SAML set up and working correctly. I am receiving and storing attributes from SAML into user profile nodes. 

I am currently using an AuthenticationInfoPostProcessor to turn the profile nodes into user groups however this process runs asynchronously to the AuthenticationHandler methods so new users which haven't had their groups set up are logged in before their groups can be set. When CUGs are enabled for the basic access group, the new users hit an error because they don't have authentication. The SAML process redirects the users to the page path they request, so they aren't all hitting a single page on login to process.

I have tried to set up a custom AuthenticationHandler which works on my local standard login where all logins are processed through /libs/granite/core/content/login.html/j_security_check, however on my SAML login, the POST to /content/saml isn't hitting the authenticationSucceeded method so my user isn't authenticated there. On other pages, when my user is successfully authenticated and my processor is called, there's no userID in the AuthenticationInfo so I can't process my user profile while delaying my login. 

Most of this was written by a consultant that I no longer have access to who told me to "examine the AuthenticationInfo object to see what all is there. The user ID should be available somewhere within that object." But I have no idea how I could do that when AuthenticationInfo.getUser() always returns null. 

This is what I'm doing to try to get the user. In the post processor, there were issues between non-SAML login and SAML login where the token was different so info.getUser() worked locally but not with the SAML login. In the AuthenticationHandler, SimpleCredentials works locally but if I try to just use that on the SAML login, I get a total failure.

String userId = null;
final Object user = info.get(JcrResourceConstants.AUTHENTICATION_INFO_CREDENTIALS);        
final Credentials credentials = user == null ? null : (Credentials) user;

if (credentials.getClass().getName() == TokenCredentials.class.getName()) {
    userId = info.getUser();
} else if (credentials.getClass().getName() == SimpleCredentials.class.getName()) {
    final SimpleCredentials sp = (SimpleCredentials) credentials;
    userId = sp.getUserID();
}

I really have no idea what else to try to get the user processed on login without hitting the error on the basic user permissions. To get around this for now, we've had to disable CUGs which isn't effective long term when we need to restrict access to some pages based on them.

Is there a way to delay the login until the PostProcessor has set the user groups or to get the user info in an AuthenticationHandler using SAML? Or is there a method that hasn't come up that could process my user profile details into groups without hitting an error on the base user group to allow CUGs to be enabled?

 

authenticationhadler SAML

Replies

Highlighted

Jörg_Hoh

Employee

30-07-2020

Hi,

 

isn't it possible to retrieve group membership information via the standards? From what I understand, the AEM SAML authentication can do that for you. Why do you rely on custom properties to extract group memberships from?

 

And actually the PostProcessors are invoked during the authentication, it is not running asynchronously. See https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/slin...

 

Jörg

Highlighted

jetate

30-07-2020

The way our groups are coming in is multiples in an array or string in two different attributes, some of which need to be assigned and some of which don't. We were working with an Adobe consultant on how to process those attributes as user groups, and these are the solutions we were provided. 

 

So I have one attribute that comes in as a list, and when I set addGroupMemberships to true and set that attribute name as groupMembershipAttribute, none of the groups in the list are added. My other attribute comes in as an array, not a list, so I can't use that for groupMembershipAttribute.

 

I believe there's an issue on the administrative side with the SAML settings that can't send us the second attribute as a list.

Highlighted

jetate

30-07-2020

So I have one attribute that comes in as a list, and when I set addGroupMemberships to true and set that attribute name as groupMembershipAttribute, none of the groups in the list are added.
Highlighted

Jörg_Hoh

Employee

07-08-2020

Hi, that's getting very tricky now (and probably not a topic which can handled well in a forum). Anyway, I would agree, that your SAM implementation might be involved as well, because I am not aware of a need to extend the authentcation in such a way. Have you made progress here?
Highlighted

jetate

15-09-2020

We determined that the issue was likely caused by being bounced to another instance before the attributes were finished being processed and synced to all instances. I believe they've enabled some level of sticky session to solve the error we were facing.