Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!

SAML integration

Avatar

Level 3
Level 3
9/19/19 9:04:21 AM

I am trying to integrate SAML on a intranet employee portal on AEM witj okta. I was able to integrate with ssocircle as POC and have few questions.

I understand that the SAML authentication handler reads the SAML assertions, create the user in crx and generates a login token cookie to validate the authentication for further requests.

I did a test with unchecking the create user on SAML config in AEM and the authentication failed with below error

javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository

19.09.2019 11:20:05.518 *INFO* [qtp317350284-1718] com.adobe.granite.auth.saml.SamlAuthenticationHandler User xxxxx not found

My question is if I allow to create users on crx and use login token cookie and if I have three publish AEM instances routed from a elb and there is no stickiness configured, I think the session cannot be maintained as the token is stored in only one of crx

Do I need to configure stickiness on elb based on login-token cookie for this to work?

What is the other way to handle SAML assertion if I don't use login token cookie and no user creation in crx?

Thanks

Views

7.4K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
4 Replies

Avatar

Level 4
Level 4
9/19/19 9:54:49 AM

Since you are dealing with end users on the publish side, the best approach would be to use User sync feature [0] which uses sling content distribution(SCD) framework. This feature syncs user between publish instances

[0]

User Synchronization

Views

7.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
9/19/19 10:12:55 AM

Thank you. This helps. If I do the user sync, does it sync the tokens too or I need to enable encapsulated tokens feature of Token Login handler?

Also, Can the sling distribution handle multiple concurrent user sync? If there is a delay in sync, I think the session will logout when the second publisher is hit.

Views

7.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
9/19/19 11:27:43 AM

Since encapsulated token doesn't require access to repository to authenticate requests and can validate requests against cookies, tokens can be ignored as part of configuration [0], its ignored by default.

However it is necessary for the user to be present on other publish instances for the authentication to work. In this case I can think of enabling sticky connections based on the time taken to sync user to other publish instances or use SSO if possible

[0]

https://helpx.adobe.com/experience-manager/6-5/sites/administering/using/sync.html#8AEMCommunitiesUs...

Views

7.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
9/20/19 6:55:31 AM

Thanks. I am thinking to enable stickiness at lb as this is a intranet site instead of usersync

Views

7.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate