There's been a significant improvement to SAML with AEM 6.1 that is worth mentioning: Multiple OSGi configurations.

The problem

If you've gone through my AEM ADFS SAML tutorial, you know that SAML works tremendously well for author integrations. On 6.0, having a single OSGi configuration ties you to a single SAML IDP per AEM instance. In the case of ADFS, this meant not being able to use multiple URLs for SAML authentication.

The solution

By having multiple OSGi configurations in 6.1, you are no longer forced to choose a site or AEM instance to support. You can mix and match sites, AEM instances (author, publish, dispatch), and content nodes. This gives you complete control over how you trigger and accept SAML assertions.

Something to remember

Authentication in AEM is handled by the resource being requested. This means a parent resource SAML entry will override any sibling resource.

Bad OSGi SAML Paths:


In this case, having a root node authentication handler will completely override any authentication handler declared for a child node. This can be frustrating if you want to have all publish requests hit one IDP and have site-1's requests hit another IDP. With clever apache rewrites you can work around this limitation.

A better scenario would be handle authentication at a sibling level:

Good OSGi SAML Paths:


In this scenario, site one is not a child of site two, and thus can have a different authentication handler / IDP / return URL.