Expand my Community achievements bar.

SAML login is setting 2 saml_request_path cookie

Avatar

Level 1

I have created a custom AuthenticationInfoPostProcessor service so that I could sent saml_request_path  and redirect the authenticated user to the appropriate page.   However, after authentication (i.e.after /saml_login request), there are 2 saml_request_path  set in the response - one set to the value I'm setting in the custom AuthenticationInfoPostProcessor service and one with a value of null.  The saml_request_path  with null value redirects to my homepage.

 

How do I set saml_request_path so that the user is redirected to the appropriate page?  How do I prevent the second saml_request_path  cookie from being added?

2 Replies

Avatar

Community Advisor

Hi @ahnc 

 

I had previously worked on a similar requirement. The saml_request_path cookie is originally set in org.apache.sling.auth.core.spi.AuthenticationHandler. So avoid setting it in AuthenticationInfoPostProcessor.

 

What you can do is create a loginHook which implements AuthenticationHandler and override requestCredentials method. Set your saml_request_path inside this method.

 

@Override
public boolean requestCredentials(final HttpServletRequest httpServletRequest,
final HttpServletResponse httpServletResponse) throws IOException {
final int expiryTime = 60 * 60 * 60 * 24;
LOGGER.debug("Login hook initialized");
String pagePath = httpServletRequest.getRequestURI();

String queryString = httpServletRequest.getQueryString();
CookieUtil.addCookie(
ServletUtil.createCookie("saml_request_path", pagePath, true, expiryTime, null, "/", false),
httpServletResponse);

return wrappedAuthHandler.requestCredentials(httpServletRequest, httpServletResponse);
}

The above solution worked for me for this exact requirement. Hope it helps you too.

 

https://github.com/Adobe-Consulting-Services/acs-aem-samples/blob/master/core/src/main/java/com/adob...

 

Regards,

Jeevan 

Avatar

Level 1

Hi @JeevanRaj.  Thanks for the suggestion.  I implemented the login hook and some logging.  I don't see requestCredentials during login.  Most of our site does not require login.  I assume requestCredentials method is only called when a page requires authentication, correct?

 

Is there a way to prevent AuthenticationHandler from setting saml_request_path cookie so that I can set it using a different method (e.g. sling request filter)?