I am currently working on implementing an asset manager using Adobe AEM 5.6.1 DAM and want to use the Asset Share and Asset Editor templates on publisher. Our client however needs these pages to be secure and restrict access to users who authenticate through a SAML-based SSO product. The SAM authentication handler configuration on Author instances is pretty straight forward but when attempting to do the same on publisher it does not work. The default behavior when using Asset Share page on publisher is that it redirects to the geometrix login (not AEM) page. I understand that this can be changed to a different page but I need it to redirect to the IdP login screen. When I configue the SAML authentication handler on publisher with the same exact parameters that work on author I not only am not redirected to the IdP to enter credentials, but I am not prompted for any authentication at all.
Is there a setting or something that I am missing somewhere on a publisher instances to enable the SAML authentication handler the same way it works on an author instance?
Any help and advice would be greatly appreciated.
Solved! Go to Solution.
Views
Replies
Total Likes
"Authentication Required" being set to No means that you're allowing anonymous login to the path specified, which is the default in publish. If you want to enforce login at a specific path, say /content/dam/clientdam, you can configure it in the Sling Authentication Service by adding +/content/dam/clientdam to the authentication requirements.
More about anonymous login with Sling authentication here: http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#...
Views
Replies
Total Likes
Configuration is same as author & no additional things required. Seems like other authentication handler may be picked. Change the service ranking of saml authentication handler and verify at http://localhost:4503/system/console/slingauth
Views
Replies
Total Likes
Sham HC wrote...
Configuration is same as author & no additional things required. Seems like other authentication handler may be picked. Change the service ranking of saml authentication handler and verify at http://localhost:4503/system/console/slingauth
Thank you for your response but I had tried that. The slingauth does show the SAML Authentication handler above the Day CQ Login selector authenticator. I have even tried disabling the Day CQ Login selector authenticator entirely and still I am never prompted for credentials when I access http://localhost:4503/content/dam/clientdam/assetshare.html (which is an instance of the assetshare page).
Looking at the Authentication Requirement Configuration in the slingauth config I see that on publisher that Authentication required is set to No in there but on Author it has different settings and some things have a Yes for Authentication required. Do I need to change something there and if so how?
Thanks in advance..
Views
Replies
Total Likes
"Authentication Required" being set to No means that you're allowing anonymous login to the path specified, which is the default in publish. If you want to enforce login at a specific path, say /content/dam/clientdam, you can configure it in the Sling Authentication Service by adding +/content/dam/clientdam to the authentication requirements.
More about anonymous login with Sling authentication here: http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#...
Views
Replies
Total Likes
Tiffany Wong wrote...
"Authentication Required" being set to No means that you're allowing anonymous login to the path specified, which is the default in publish. If you want to enforce login at a specific path, say /content/dam/clientdam, you can configure it in the Sling Authentication Service by adding +/content/dam/clientdam to the authentication requirements.
More about anonymous login with Sling authentication here: http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#...
I can't thank you enough! That is exactly what I overlooked when looking at all of the other configuration settings on my publisher for authentication. That did the trick.
Views
Replies
Total Likes
Views
Like
Replies