SAML Handler and public page sign-in



Hi All,

I have a public site hosted on AEM. This public site has product pages, if you want to purchase, you have to log-in in order to add to cart and so on. So, basically this site has public pages and same public pages have few more options available if the end user is signed-in.

Now, the challenge here is, how can this be achieved by SAML Auth Handler as it doesn't completely supports IdP initiated auth due to the fact that it'll always come back to the home page of the site after successful authentication because request path cookie will not be set with the origination URL which can be anything.

To simplify here is the use case I want to achieve with SAML Auth Handler:

1) End user comes to a public product page within the site

2) End user clicks on sign-in

3) After successful authentication by IdP, user has redirected to the product page from where he/she initiated sign-in.

I have a work around, which I implemented in AEM 6.2, to have a servlet, serving over secured path(configured at SAML Handler and Sling Auth Service), which takes a parameter as final redirect. Now, sign-in URL will be different based on which page you're visiting on the site, i.e. going to servlet's secured path with final redirect parameter set to the current page. This way, after successful authentication, servlet will redirect to final target which was the origination page.

I don't feel this is a correct approach. I would like to utilize something with lesser custom code and more OOTB. Does anyone has come across the use case I have here and found any better way to deal with it? Is there any better approach available in AEM 6.4 or 6.5 that I might have missed?







Hi Bimal

We had similar requirement and we wrote sample login hook authentication handler as similar to the one present over here

acs-aem-samples/SampleLoginHookAuthenticationHandler.java at master · Adobe-Consulting-Services/acs-... with the service ranking pointing to the value higher than saml auth handler.

Login hook authentication handler will execute before your saml auth handler as it higher ranking than saml and in the request credentials method set the "saml_request_path" cookie pointing to the value "redirect uri or request uri" before wrapping up the request as shown in the sample code.

Note : Saml Authentication handler will do the redirect based on your "saml_request_path /request-path" cookie and if not present it will take you to the page that you configured on saml handler.

Note : if saml_request_path cookie didnt work please try the cookie with the name "request-path"

Sample Method :

public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)

throws IOException {

final Boolean useSecureCookie = false;

final int expiryTime = 60 * 60 * 60 * 24;

final String cookiePath = "/";

String loginRes = httpServletRequest.getRequestURI();

Cookie cookie = new Cookie("saml_request_path", loginRes);





return wrappedAuthHandler.requestCredentials(httpServletRequest, httpServletResponse);







Hello @bims_patel,

The IDP initiated login basically takes away the "saml_request_path" cookie. AEM does support IDP Initiated SAML and while using IDP initiated Authentication, you must consult with your IDP to understand how to redirect the user back to the "source" page.

One example is the usage of "relay state" parameter, and in case of Okta, usage of fromURI flag. This can be seen discussed in article https://support.okta.com/help/s/question/0D50Z00008C3jmKSAR/how-to-redirect-back-to-referring-page-a...

Okta Help Center (Lightning)

So my recommendation would be to consult with your IDP first to see potential solutions.

Best Regards,

Aneet Arora




Thank you Prem and Aneet for taking time in responding to my post.

I remember trying out IdP initiated login last year with relay state parameter but that didn't work out or probably I didn't try it out in correct way. I'll check this again and update here. Its a cleaner approach without any custom coding.

I'll fall back to the other method described by Prem in case that doesn't work out.






we are using azure for sso as IDP and we initially tried with relay state parameter, but that didn't work, so we ended up in using login hook handler.

But the same is working with Oauth.

If it works for you please do post the findings over here, that will be more helpful.