Highlighted

SSO issue in AEM 63 after a recent upgrade from AEM61

Avatar

Avatar

Dineshkumar_L

Avatar

Dineshkumar_L

Dineshkumar_L

27-08-2018

Hi All,

Recently we have upgraded from AEM61 to AEM63 and started to face a new issue in SSO integration.

Problem Statement:

  1. We have an intranet site with OOTB LDAP Authentication configured.
  2. Additionally we have "Integrated Windows Authentication" enabled at the Apache + Kerberos level.
  3. "User ID" parameter will be passed by Kerberos to Dispatcher and then to AEM as a request header parameter to enable SSO. We have all the required SSO configurations in place.
  4. And we are referring this "User ID" value in our various component by picking it from the client context.
  5. Recently we noticed that in IE and Chrome, this user ID is being passed as session ID for few users (only in few times - inconsistently) and this is breaking our component logic. The same is working in Firefox now.
  6. Could see following lines in SSO logs (SSO logs are enabled upto DEBUG Level for the two packages - org.apache.sling.auth and com.adobe.granite.auth.sso):

27.08.2018 08:43:40.796 *DEBUG* [qtp2034268427-47241] org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting authentication using handler: com.day.cq.auth.impl.LoginSelectorHandler@72fed7f5

27.08.2018 08:43:40.802 *DEBUG* [qtp2034268427-46699] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set

27.08.2018 08:43:40.802 *DEBUG* [qtp2034268427-46699] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials; assuming anonymous

27.08.2018 08:43:40.803 *DEBUG* [qtp2034268427-46699] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: No credentials in the request, anonymous

We were suspecting that Kerberos is not passing the value properly and for this reason we hard coded the "User ID" in the web server configuration file directly while setting the request header parameter, even then we were able to simulate the issue. Below is the snap which shows "User ID" (Visitor's ID by AEM) is holding a value of session ID, as the user ID is empty.

1557976_pastedImage_12.png

Below is what AEM does:

/libs/cq/personalization/clientlib/kernel/source/shared/clientcontextmanager.js

    CQ_Analytics.ClientContextMgr.prototype.getId = function() {

        var id = this.getVisitorId();

        if (!id) {

            return this.getSessionId();

        }

        return id;

    };

We are not able to get any clues why the User ID is empty from SSO logs, dispatcher log shows the actual user ID properly. Any pointers to trouble shoot further will be helpful.

Thanks,

Dinesh kumar L.