Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events

SAML login is setting 2 saml_request_path cookie


Level 1

I have created a custom AuthenticationInfoPostProcessor service so that I could sent saml_request_path  and redirect the authenticated user to the appropriate page.   However, after authentication (i.e.after /saml_login request), there are 2 saml_request_path  set in the response - one set to the value I'm setting in the custom AuthenticationInfoPostProcessor service and one with a value of null.  The saml_request_path  with null value redirects to my homepage.


How do I set saml_request_path so that the user is redirected to the appropriate page?  How do I prevent the second saml_request_path  cookie from being added?

2 Replies


Community Advisor

Hi @ahnc 


I had previously worked on a similar requirement. The saml_request_path cookie is originally set in org.apache.sling.auth.core.spi.AuthenticationHandler. So avoid setting it in AuthenticationInfoPostProcessor.


What you can do is create a loginHook which implements AuthenticationHandler and override requestCredentials method. Set your saml_request_path inside this method.


public boolean requestCredentials(final HttpServletRequest httpServletRequest,
final HttpServletResponse httpServletResponse) throws IOException {
final int expiryTime = 60 * 60 * 60 * 24;
LOGGER.debug("Login hook initialized");
String pagePath = httpServletRequest.getRequestURI();

String queryString = httpServletRequest.getQueryString();
ServletUtil.createCookie("saml_request_path", pagePath, true, expiryTime, null, "/", false),

return wrappedAuthHandler.requestCredentials(httpServletRequest, httpServletResponse);

The above solution worked for me for this exact requirement. Hope it helps you too.







Level 1

Hi @JeevanRaj.  Thanks for the suggestion.  I implemented the login hook and some logging.  I don't see requestCredentials during login.  Most of our site does not require login.  I assume requestCredentials method is only called when a page requires authentication, correct?


Is there a way to prevent AuthenticationHandler from setting saml_request_path cookie so that I can set it using a different method (e.g. sling request filter)?