Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

SAML integration

Avatar

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

16 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

16 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile
Santhi_Swaroop
Level 2

19-09-2019

I am trying to integrate SAML on a intranet employee portal on AEM witj okta. I was able to integrate with ssocircle as POC and have few questions.

I understand that the SAML authentication handler reads the SAML assertions, create the user in crx and generates a login token cookie to validate the authentication for further requests.

I did a test with unchecking the create user on SAML config in AEM and the authentication failed with below error

javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository

19.09.2019 11:20:05.518 *INFO* [qtp317350284-1718] com.adobe.granite.auth.saml.SamlAuthenticationHandler User xxxxx not found

My question is if I allow to create users on crx and use login token cookie and if I have three publish AEM instances routed from a elb and there is no stickiness configured, I think the session cannot be maintained as the token is stored in only one of crx

Do I need to configure stickiness on elb based on login-token cookie for this to work?

What is the other way to handle SAML assertion if I don't use login token cookie and no user creation in crx?

Thanks

Replies

Avatar

Avatar
Give Back 5
Level 4
Bharath_valse
Level 4

Likes

34 likes

Total Posts

65 posts

Correct Reply

11 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 25
Give Back 10
Give Back
View profile

Avatar
Give Back 5
Level 4
Bharath_valse
Level 4

Likes

34 likes

Total Posts

65 posts

Correct Reply

11 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 25
Give Back 10
Give Back
View profile
Bharath_valse
Level 4

19-09-2019

Since you are dealing with end users on the publish side, the best approach would be to use User sync feature [0] which uses sling content distribution(SCD) framework. This feature syncs user between publish instances

[0]

User Synchronization

Avatar

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

16 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

16 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile
Santhi_Swaroop
Level 2

19-09-2019

Thank you. This helps. If I do the user sync, does it sync the tokens too or I need to enable encapsulated tokens feature of Token Login handler?

Also, Can the sling distribution handle multiple concurrent user sync? If there is a delay in sync, I think the session will logout when the second publisher is hit.

Avatar

Avatar
Give Back 5
Level 4
Bharath_valse
Level 4

Likes

34 likes

Total Posts

65 posts

Correct Reply

11 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 25
Give Back 10
Give Back
View profile

Avatar
Give Back 5
Level 4
Bharath_valse
Level 4

Likes

34 likes

Total Posts

65 posts

Correct Reply

11 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 25
Give Back 10
Give Back
View profile
Bharath_valse
Level 4

19-09-2019

Since encapsulated token doesn't require access to repository to authenticate requests and can validate requests against cookies, tokens can be ignored as part of configuration [0], its ignored by default.

However it is necessary for the user to be present on other publish instances for the authentication to work. In this case I can think of enabling sticky connections based on the time taken to sync user to other publish instances or use SSO if possible

[0]

https://helpx.adobe.com/experience-manager/6-5/sites/administering/using/sync.html#8AEMCommunitiesUs...

Avatar

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

16 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 1
Level 2
Santhi_Swaroop
Level 2

Likes

16 likes

Total Posts

28 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 5
Give Back 3
View profile
Santhi_Swaroop
Level 2

20-09-2019

Thanks. I am thinking to enable stickiness at lb as this is a intranet site instead of usersync