Expand my Community achievements bar.

SOLVED

Suggestions on using different IDP URL (same domain but different context) for different website hosted in AEM 6.2

Avatar

Level 3
Level 3
4/27/17 10:01:29 PM

Hi All,

We have 3 websites (aaa.com,bbb.com,ccc.com) hosted in AEM publish and would like to Authenticate user through SAML.

But each site is planning to use different IDP URL, Service Provider Entity ID of SAML Authentication handler. (Domain would be same but context is different - e.g http://x.y.com/idp1 and http://x.y.com/idp2)

Can anyone please provide your suggestion on how to implement this?

 

Thanks,

GVK

Views

1.4K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 9
Level 9
4/28/17 11:35:02 PM

Gunalan V wrote...

 

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

Yes

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works?

There is no limitation on number of certificate to upload into truststore Or keystore.

 

As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

AEM has intelligent logic inbuilt is there is duplicate certificate upload it will not create a new one.  All the 3 certificate if turn out to be same then you will see one alias. Use that for all configs.   In case it is different you will have different alias created and use the same alias in saml config.

View solution in original post

Views

863

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Level 9
Level 9
4/27/17 10:20:34 PM

Hi GVK,

    It is supported out of the box.   Service Provider Entity ID is just a unique name and not mandatory it should be url. 

Assume 

  1. aaa.com mapped to /content/geometrixx/en and idp url is http://idp1.com and entiry id is http://x.y.com/idp1
  2. bbb.com mapped to /content/geometrixx/fr and idp url is http://idp2.com and entiry id is http://x.y.com/idp2
  3. ccc.com mapped to /content/geometrixx/de and idp url is http://idp3.com and entiry id is http://x.y.com/idp3

Create 3 aem saml config with almost same configs and difference being 

  1. For first config path as  /content/geometrixx/en and idp url is http://idp1.com and entiry id has http://x.y.com/idp1
  2. For second config path as  /content/geometrixx/fr and idp url is http://idp2.com and entiry id has http://x.y.com/idp2
  3. For third config path as  /content/geometrixx/de and idp url is http://idp3.com and entiry id has http://x.y.com/idp3

 

Thanks,

Views

857

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
4/27/17 10:39:42 PM

MC Stuff wrote...

Hi GVK,

    It is supported out of the box.   Service Provider Entity ID is just a unique name and not mandatory it should be url. 

Assume 

  1. aaa.com mapped to /content/geometrixx/en and idp url is http://idp1.com and entiry id is http://x.y.com/idp1
  2. bbb.com mapped to /content/geometrixx/fr and idp url is http://idp2.com and entiry id is http://x.y.com/idp2
  3. ccc.com mapped to /content/geometrixx/de and idp url is http://idp3.com and entiry id is http://x.y.com/idp3

Create 3 aem saml config with almost same configs and difference being 

  1. For first config path as  /content/geometrixx/en and idp url is http://idp1.com and entiry id has http://x.y.com/idp1
  2. For second config path as  /content/geometrixx/fr and idp url is http://idp2.com and entiry id has http://x.y.com/idp2
  3. For third config path as  /content/geometrixx/de and idp url is http://idp3.com and entiry id has http://x.y.com/idp3

 

Thanks,

 

Thanks a lot MC Stuff for quick reply!

Few more queries.

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works? As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

Thanks in advance.

 

Regards,

GVK

Views

993

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 9
Level 9
4/28/17 11:35:02 PM

Gunalan V wrote...

 

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

Yes

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works?

There is no limitation on number of certificate to upload into truststore Or keystore.

 

As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

AEM has intelligent logic inbuilt is there is duplicate certificate upload it will not create a new one.  All the 3 certificate if turn out to be same then you will see one alias. Use that for all configs.   In case it is different you will have different alias created and use the same alias in saml config.

Views

864

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 3
Level 3
5/3/17 4:57:04 PM

MC Stuff wrote...

Gunalan V wrote...

 

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

Yes

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works?

There is no limitation on number of certificate to upload into truststore Or keystore.

 

As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

AEM has intelligent logic inbuilt is there is duplicate certificate upload it will not create a new one.  All the 3 certificate if turn out to be same then you will see one alias. Use that for all configs.   In case it is different you will have different alias created and use the same alias in saml config.

 

 

Thank You MC Stuff! 

I was able to add multiple certificate in truststore and keystore in my local AEM. Will try lower environment and get your help if any issues.

 

Regards,

GVK 

Views

996

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Former Community Member
8/25/18 1:24:13 AM

Hi Gunalan,

I am trying to add new certificate to truststore. It is always replacing the existing one. Even though certificates are different.

Any pointers would be helpful? And what is the logic of that built-in feature to compare certificates ?

Regards,

Akash B.

Views

892

Replies

0

Total Likes

Translate
Translate
Related Conversations
Servlet instatiation in aem

Views

40

Likes

0

Replies

1
UNPKG affect page load time vey badly on end website and author

Views

46

Likes

0

Replies

0
Writting interface in aem

Views

75

Likes

0

Replies

2
Retiring Tags on AEM DAM

Views

201

Likes

0

Replies

4
How to handle multiple threads in listenener?

Views

204

Likes

0

Replies

5