Recently we have upgraded from AEM61 to AEM63 and started to face a new issue in SSO integration.
We have an intranet site with OOTB LDAP Authentication configured.
Additionally we have "Integrated Windows Authentication" enabled at the Apache + Kerberos level.
"User ID" parameter will be passed by Kerberos to Dispatcher and then to AEM as a request header parameter to enable SSO. We have all the required SSO configurations in place.
And we are referring this "User ID" value in our various component by picking it from the client context.
Recently we noticed that in IE and Chrome, this user ID is being passed as session ID for few users (only in few times - inconsistently) and this is breaking our component logic. The same is working in Firefox now.
Could see following lines in SSO logs (SSO logs are enabled upto DEBUG Level for the two packages - org.apache.sling.auth and com.adobe.granite.auth.sso):
27.08.2018 08:43:40.802 *DEBUG* [qtp2034268427-46699] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
27.08.2018 08:43:40.802 *DEBUG* [qtp2034268427-46699] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials; assuming anonymous
27.08.2018 08:43:40.803 *DEBUG* [qtp2034268427-46699] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: No credentials in the request, anonymous
We were suspecting that Kerberos is not passing the value properly and for this reason we hard coded the "User ID" in the web server configuration file directly while setting the request header parameter, even then we were able to simulate the issue. Below is the snap which shows "User ID" (Visitor's ID by AEM) is holding a value of session ID, as the user ID is empty.