Highlighted

Setup SSO for multiple domains

Avatar

Avatar

srikanthp689160

Avatar

srikanthp689160

srikanthp689160

02-12-2019

Hi,

We have SAML integration in place for our application(domain: https://www.mycompany.com) where AEM is Service Provider(SP) and Salesforce is Identity Provider(IdP)

Salesforce has created a connected app with ACS URL: https://www.mycompany.com/signin/saml_login.

Now we are rolling out application for other countries or domains for example https://www.mycompany.co.uk or https://www.mycompany.fr

Our requirement is that if user has access to both https://www.mycompany.com and https://www.mycompany.uk and user is logged into one domain for example https://www.mycompany.com and then tries to access a page from https://www.mycompany.co.uk user must not be asked to login again.

With single SAML Authentication Handler and single Idp connected app, can we handle this scenario?

Any suggestions/approach on how to handle the above scenario would be helpful.

Thanks,

Srikanth Pogula.

Replies

Highlighted

Avatar

Avatar

Venkatesha_Gamp

Avatar

Venkatesha_Gamp

Venkatesha_Gamp

02-12-2019

Hi ,

if it is SSO then why should it ask again ..

Solution Wise : you can use servlet filters to hande above situation.

Highlighted

Avatar

Avatar

jbrar

Employee

Avatar

jbrar

Employee

jbrar
Employee

02-12-2019

SAML setup is based on the SP(Service Provider) ID. So, " https://www.mycompany.com" will be one SP ID that will be mapped to a corresponding and I don't think this is possible OOTB without any custom code.

That said, IF you would like to handle it within one SAML handler, you have to map the https://www.mycompany.com

and "https://www.mycompany.co.uk" to the same AEM HOST using dispatcher.

In other words, use the SP ID as AEM HOST(10.****) name in the SAML handler and map both the DNS to this host based on the content structure. Example:

https://www.mycompany.uk is mapped to 10.****/content/uk

https://www.mycompany.com​ is mapped to 10.****/content/global

Check [1] for more details on how to define virtual hosts.

[1] Configuring Dispatcher

Avatar

Avatar

srikanthp689160

Avatar

srikanthp689160

srikanthp689160

02-12-2019

Hi Venkatesha,

Right now when user after logging into .com domain website and trying to access UK site, he is treated as anonymous user.

Thanks,

Srikanth Pogula.

Highlighted

Avatar

Avatar

srikanthp689160

Avatar

srikanthp689160

srikanthp689160

02-12-2019

Hi Jaideep,

By SP ID in SAML Handler, do you mean Service Provider Entity ID?

If yes, as per documentation serviceProviderEntityId - the  sPEntityId you created on IdP.

Or am i missing anything here?

Thanks,

Srikanth Pogula.

Highlighted

Avatar

Avatar

jbrar

Employee

Avatar

jbrar

Employee

jbrar
Employee

02-12-2019

Srikanth,

You are right, SP ID is Service Provider Entity ID and it will be created on the IDP side. That said, it should be matching with the SP ID configured in the SAML handler.

What I was trying to say is, As long as "https://www.mycompany.co.uk" and https://www.mycompany.com​ points to the same AEM instance with the SAML handler configured on path= "/", they should share the same login session.

Highlighted

Avatar

Avatar

srikanthp689160

Avatar

srikanthp689160

srikanthp689160

03-12-2019

Thanks Jaideep for the information.

Below is my understanding based on your post, please correct if i am wrong

Currently SP Entity ID is AEMSSOENTITY in SAML Handler and same is created at IdP end with ACS URL as https://www.mycompany.com/signin/saml_login.

By keeping SP Entity ID same, will update ACS URL to include AEM HOST(10.****) and path remains /signin because that path exists for all applicable domains i.e. https://www.mycompany.com/signin/saml_login  or https://www.mycompany.com/signin/saml_login

Thanks

Srikanth Pogula