I am trying to implement a custom SAML SSO in AEM 5.6.1, possibly moving to 6.2 soon.
Usecase: Certain content on the site needs to be behind a paywall, where Okta is the IdP and SAML is the SP. Based on the user’s roles returned by Okta, I can determine what type of paywall content they have access too. Caveat, I cannot store any of the authenticated users to the JCR, due to the high volume of users expected.
I have custom login forms that will POST username and password to a Sling Servlet to be processed. I need to then forward these credentials to Okta, and listen for a response. Extract the SAML response from Okta, decode and parse the XML, extract the user’s information: UserName, DisplayName, User Roles (custom defined permission roles in a key:value pair.
Need this information separately from the default SAML authentication, because we will not be creating users for each person that logs in. Instead we want to track their credentials through sessions. Based on current Design, we cannot use the default Okta login strategy. The forms need to be author-able and located internally to the site structure.
Current solution for sending user credentials to Okta from my backend: None, I’m stuck here, I’ve looked into Okta's cookieTokens, but it’s not making a lot of sense to me.
Current solution for intercepting the SAML response: Created a resource at /etc/saml_auth, created a Servlet that listens for the sling:resourceType of /etc/saml_auth. Sling Referrer allows POST methods. Sling Authentication Service has been configured to disable authentication for /etc/saml_auth and the path to my login page.
Okta has been configured to send SAML responses to /etc/saml_auth, where my Servlet will extract the SAMLResponse, decode it, the parse through it to extract the User information.
Prior to trying to implement my custom login form, I could successfully login with Okta’s remote login page and successfully extract the user information from the SAML response. Is there an alternative that is better for this situation? Any help is appreciated.
Shouldn't the login screen be that of the IDP instead of SP in a SAML auth mechanism ? Is your IDP supporting HTTP POST binding? Otherwise check if it supports WS Trust.