Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Suggestions on using different IDP URL (same domain but different context) for different website hosted in AEM 6.2

Avatar

Level 3

Hi All,

We have 3 websites (aaa.com,bbb.com,ccc.com) hosted in AEM publish and would like to Authenticate user through SAML.

But each site is planning to use different IDP URL, Service Provider Entity ID of SAML Authentication handler. (Domain would be same but context is different - e.g http://x.y.com/idp1 and http://x.y.com/idp2)

Can anyone please provide your suggestion on how to implement this?

 

Thanks,

GVK

1 Accepted Solution

Avatar

Correct answer by
Level 9

Gunalan V wrote...

 

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

Yes

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works?

There is no limitation on number of certificate to upload into truststore Or keystore.

 

As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

AEM has intelligent logic inbuilt is there is duplicate certificate upload it will not create a new one.  All the 3 certificate if turn out to be same then you will see one alias. Use that for all configs.   In case it is different you will have different alias created and use the same alias in saml config.

View solution in original post

5 Replies

Avatar

Level 9

Hi GVK,

    It is supported out of the box.   Service Provider Entity ID is just a unique name and not mandatory it should be url. 

Assume 

  1. aaa.com mapped to /content/geometrixx/en and idp url is http://idp1.com and entiry id is http://x.y.com/idp1
  2. bbb.com mapped to /content/geometrixx/fr and idp url is http://idp2.com and entiry id is http://x.y.com/idp2
  3. ccc.com mapped to /content/geometrixx/de and idp url is http://idp3.com and entiry id is http://x.y.com/idp3

Create 3 aem saml config with almost same configs and difference being 

  1. For first config path as  /content/geometrixx/en and idp url is http://idp1.com and entiry id has http://x.y.com/idp1
  2. For second config path as  /content/geometrixx/fr and idp url is http://idp2.com and entiry id has http://x.y.com/idp2
  3. For third config path as  /content/geometrixx/de and idp url is http://idp3.com and entiry id has http://x.y.com/idp3

 

Thanks,

Avatar

Level 3

MC Stuff wrote...

Hi GVK,

    It is supported out of the box.   Service Provider Entity ID is just a unique name and not mandatory it should be url. 

Assume 

  1. aaa.com mapped to /content/geometrixx/en and idp url is http://idp1.com and entiry id is http://x.y.com/idp1
  2. bbb.com mapped to /content/geometrixx/fr and idp url is http://idp2.com and entiry id is http://x.y.com/idp2
  3. ccc.com mapped to /content/geometrixx/de and idp url is http://idp3.com and entiry id is http://x.y.com/idp3

Create 3 aem saml config with almost same configs and difference being 

  1. For first config path as  /content/geometrixx/en and idp url is http://idp1.com and entiry id has http://x.y.com/idp1
  2. For second config path as  /content/geometrixx/fr and idp url is http://idp2.com and entiry id has http://x.y.com/idp2
  3. For third config path as  /content/geometrixx/de and idp url is http://idp3.com and entiry id has http://x.y.com/idp3

 

Thanks,

 

Thanks a lot MC Stuff for quick reply!

Few more queries.

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works? As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

Thanks in advance.

 

Regards,

GVK

Avatar

Correct answer by
Level 9

Gunalan V wrote...

 

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

Yes

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works?

There is no limitation on number of certificate to upload into truststore Or keystore.

 

As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

AEM has intelligent logic inbuilt is there is duplicate certificate upload it will not create a new one.  All the 3 certificate if turn out to be same then you will see one alias. Use that for all configs.   In case it is different you will have different alias created and use the same alias in saml config.

Avatar

Level 3

MC Stuff wrote...

Gunalan V wrote...

 

1. When you say "create 3 saml config", you wanted me to create 3 SAML handler with different URL/entity id, etc rite?

Yes

2. As you mentioned If we able to use 3 IDP URL in 3 different SAML handler, could you please let me know how the trust store and keystore works?

There is no limitation on number of certificate to upload into truststore Or keystore.

 

As of now we have configured truststore with IDP1 certificate and Keystore with aaa.com SSL certificate.

            -    Will the request from yyy.com be trusted with IDP1 (truststore) and zzz.com (keystore) certificates?

AEM has intelligent logic inbuilt is there is duplicate certificate upload it will not create a new one.  All the 3 certificate if turn out to be same then you will see one alias. Use that for all configs.   In case it is different you will have different alias created and use the same alias in saml config.

 

 

Thank You MC Stuff! 

I was able to add multiple certificate in truststore and keystore in my local AEM. Will try lower environment and get your help if any issues.

 

Regards,

GVK 

Avatar

Not applicable

Hi Gunalan,

I am trying to add new certificate to truststore. It is always replacing the existing one. Even though certificates are different.

Any pointers would be helpful? And what is the logic of that built-in feature to compare certificates ?

Regards,

Akash B.