AEM 6.1 | SAML Multiple Identity providers | Community
Skip to main content
Naveen_AEM_dev
Naveen_AEM_dev
New Participant
March 2, 2016
Solved

AEM 6.1 | SAML Multiple Identity providers

  • March 2, 2016
  • 4 replies
  • 3579 views

My use case is as follows,

One Service Provider (AEM) and 2 identity providers - IDP1 and IDP2. Let's assume that there is no login context / saved credentials in the SP so the SP will ask the IDP to assert the principal's (user's) credentials. In this case, IDP1 needs to first attempt to authenticate the user and if the user is not authenticated, delegate the request to IDP2 for authentication. If IDP2 is able to authenticate the user then the SP will receive the SAML response and make an access control decision else a login error screen needs to be shown.

My issues,

I cannot have 2 separate SAML authentication configurations for the same path because - one will override the other and also there will be two separate login screens / prompts displayed to the customer for each provider.

Is anyone able to provide any insight on how the above use case can be implemented in AEM 6.1?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Naveen_AEM_dev

Hi Lokesh,

This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.

My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)

My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.

4 replies

Naveen_AEM_dev
Naveen_AEM_devAuthor
New Participant
March 4, 2016

Thanks for confirming Lokesh!

Lokesh_Shivalingaiah
Lokesh_Shivalingaiah
New Participant
March 4, 2016

For your usecase, you will have to write a custom authentication handler and OOB is not available

Naveen_AEM_dev
Naveen_AEM_devAuthorAccepted solution
New Participant
March 4, 2016

Hi Lokesh,

This wouldn't work for my use case because - if user logging in is not able to be authenticated by the first IDP, the request is not handed over to the second IDP for authentication automatically. There is a login error and the user will still be displayed the IDP1 Login screen.

My requirement is, if the user is not authenticated successfully on IDP1 then the user credentials need to be sent (request forwarded) to IDP2 (this way there is no prompt for entering user credentials again) and authenticated by IDP2. If the user is successfully authenticated by IDP2 then the SAML response will be constructed with reference to the IDP which successfully authenticated the user. (IDP 2 in this scenario)

My take is creating a custom SAML authentication handler to be able to achieve this but if there is someway the OOTB functionality can be leveraged to get this done, that would be preferred.

Lokesh_Shivalingaiah
Lokesh_Shivalingaiah
New Participant
March 3, 2016

Hi Naveen,

You can configure multiple SAML IDPs (Check the screenshot) and the order in which it would authenticate will be based on the ranking and the same can be checked in  /system/console/jaas

Terms & ConditionsAccessibility statement

Loading footer...