Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

SSO in AEM - Custom SAML Authentication handler in AEM

Avatar

Level 2

Requirement:

 

When AEM page request redirected to OKTA  for authentication , When user got authenticated from Okta and user got created in AEM , at the same time, we Need to make third party API call and get the groups list and then assign the user to those groups in AEM.

 

It looks like  only option is Custom SAML Authentication handler. (Not just Authentication handler).


It seems adobe is not exposing com.adobe.granite.auth.saml and  we need to create entire module.

 

 

We are combining CUG ( closed user group with CUG) with OKTA SAML sso . If we try Authentication Info Post Processor, user is assigned to groups. But, sling authenticator called first. For first request we are getting 404 and when we refresh the page, second time it is working ( Since Sling authenticator gets called before Post processor ) 

 


Any suggestions/information on this?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Ok but we are using same for SAML

Example

 

@Designate(ocd = ExtSamlAuthenticationHandler.Config.class, factory = true)
@Component(service = AuthenticationHandler.class,
        name = "com.abc.core.integration.saml.ExtSamlAuthenticationHandler",
        configurationPolicy = ConfigurationPolicy.REQUIRE,
        servicefactory = true,
        property = {
                "service.name" + "=EXT Adobe Granite SAML Authentication Handler",
                Constants.SERVICE_DESCRIPTION + "=EXT Adobe Granite SAML Authentication Handler",
                "authtype" + "=SAML"
        })
public class ExtSamlAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {

}

However I can't share the client code. 



Arun Patidar

View solution in original post

13 Replies

Avatar

Community Advisor

Hi,

You can extend or create your own imlmentation

http://apoorva-ganapathy.blogspot.com/2016/08/aem-processing-saml-response-using.html 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/custom-saml-authentication... 

 

public class CustomSamlAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {



Arun Patidar

Avatar

Level 2

Hi Arun,

 

Thanks for the response.

First link is regarding : Info Post Processor. It doesn't work for our scenario. 

Second link: The developer didn't implement that. He went with some other work around. Could you please check it again. 

 

Avatar

Level 4

Ya. I followed that article also. It is Token based Custom authentication handler.

 

It is not Custom SAML (OKTA)  authentication handler.

Avatar

Correct answer by
Community Advisor

Ok but we are using same for SAML

Example

 

@Designate(ocd = ExtSamlAuthenticationHandler.Config.class, factory = true)
@Component(service = AuthenticationHandler.class,
        name = "com.abc.core.integration.saml.ExtSamlAuthenticationHandler",
        configurationPolicy = ConfigurationPolicy.REQUIRE,
        servicefactory = true,
        property = {
                "service.name" + "=EXT Adobe Granite SAML Authentication Handler",
                Constants.SERVICE_DESCRIPTION + "=EXT Adobe Granite SAML Authentication Handler",
                "authtype" + "=SAML"
        })
public class ExtSamlAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {

}

However I can't share the client code. 



Arun Patidar

Avatar

Level 4

Hi Arun, 

Did you override entire com.adobe.granite.auth.saml package in your code base ?

because it needs lot of adobe classes and those are not exposed?

Avatar

Community Advisor

No, we did not override that package, we have following imports and added following dependency in POM

 

<Embed-Dependency>com.adobe.granite.auth.saml</Embed-Dependency>

 

Import

import com.adobe.granite.auth.saml.configuration.IdpConfiguration;
import com.adobe.granite.auth.saml.configuration.SpConfiguration;
import com.adobe.granite.auth.saml.model.Assertion;
import com.adobe.granite.auth.saml.model.Attribute;
import com.adobe.granite.auth.saml.model.AuthnRequest;
import com.adobe.granite.auth.saml.model.AuthnStatement;
import com.adobe.granite.auth.saml.model.Issuer;
import com.adobe.granite.auth.saml.model.LogoutRequest;
import com.adobe.granite.auth.saml.model.LogoutResponse;
import com.adobe.granite.auth.saml.model.NameIdPolicy;
import com.adobe.granite.auth.saml.model.Response;
import com.adobe.granite.auth.saml.model.Status;
import com.adobe.granite.auth.saml.util.SamlReader;
import com.adobe.granite.auth.saml.util.SamlReaderException;

 

Version

<dependency>
<groupId>com.adobe.granite</groupId>
<artifactId>com.adobe.granite.auth.saml</artifactId>
<version>1.0.10</version>
<scope>provided</scope>
</dependency>

 



Arun Patidar

Avatar

Community Advisor

Yes, that dependency no more available at maven we have a cached version of it in our artifactory.

 



Arun Patidar

Avatar

Level 4

If It is cached version and specific to One company artifactory ,then I think Other company can't use. 
Is there a way to get that version.

Avatar

Community Advisor

you can get that bundle from AEM itself and use that.



Arun Patidar

Avatar

Level 1

Hi Arun, @arunpatidar 
I'm also looking for exact requirement.


Could you please help me on how you embedded dependency in project. 

 

I'm using the saml bundle as you suggested but I'm getting errors while building project as below:

Bundle abc.core:2.x.x-SNAPSHOT is importing package(s) [com.adobe.granite.auth.saml.binding, com.adobe.granite.auth.saml.configuration, com.adobe.granite.auth.saml, com.adobe.granite.auth.saml.model, com.adobe.granite.auth.saml.util, com.adobe.granite.auth.saml.extidp] in start level 20 but no bundle is exporting these for that start level.

Let me know how can I resolve this error?

Also, have you used the exact same code from samlauthenticationhandler.java in your custom implementation?