Highlighted

SAML integration

Santhi_Swaroop

19-09-2019

I am trying to integrate SAML on a intranet employee portal on AEM witj okta. I was able to integrate with ssocircle as POC and have few questions.

I understand that the SAML authentication handler reads the SAML assertions, create the user in crx and generates a login token cookie to validate the authentication for further requests.

I did a test with unchecking the create user on SAML config in AEM and the authentication failed with below error

javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository

19.09.2019 11:20:05.518 *INFO* [qtp317350284-1718] com.adobe.granite.auth.saml.SamlAuthenticationHandler User xxxxx not found

My question is if I allow to create users on crx and use login token cookie and if I have three publish AEM instances routed from a elb and there is no stickiness configured, I think the session cannot be maintained as the token is stored in only one of crx

Do I need to configure stickiness on elb based on login-token cookie for this to work?

What is the other way to handle SAML assertion if I don't use login token cookie and no user creation in crx?

Thanks

Replies

Highlighted

Bharath_valse

19-09-2019

Since you are dealing with end users on the publish side, the best approach would be to use User sync feature [0] which uses sling content distribution(SCD) framework. This feature syncs user between publish instances

[0]

User Synchronization

Highlighted

Santhi_Swaroop

19-09-2019

Thank you. This helps. If I do the user sync, does it sync the tokens too or I need to enable encapsulated tokens feature of Token Login handler?

Also, Can the sling distribution handle multiple concurrent user sync? If there is a delay in sync, I think the session will logout when the second publisher is hit.

Highlighted

Bharath_valse

19-09-2019

Since encapsulated token doesn't require access to repository to authenticate requests and can validate requests against cookies, tokens can be ignored as part of configuration [0], its ignored by default.

However it is necessary for the user to be present on other publish instances for the authentication to work. In this case I can think of enabling sticky connections based on the time taken to sync user to other publish instances or use SSO if possible

[0]

https://helpx.adobe.com/experience-manager/6-5/sites/administering/using/sync.html#8AEMCommunitiesUs...