SAML authentication invalid SAML TOKEN | Community
Skip to main content
A
adithyaa6344757
Level 3
February 12, 2021
Solved

SAML authentication invalid SAML TOKEN

  • February 12, 2021
  • 3 replies
  • 8191 views

Hello All,

I am trying to implement saml integration on my local but gives invalid SAML token.

 

 

I am following this documentation: https://helpx.adobe.com/experience-manager/using/aem63_saml.html

 

I am using AEM 6.5.6 version

 

Here is my configuration:

 

I had tried to change the Service Provider Entity ID as AEMSAMLServiceaadi which is SPEntityId  created on SSO Circle IdP as per documentation.

 

I had also tried to remove POST as suggested by one of the person in community but it doesn't work.

 

Here are my logs:

 

11.02.2021 14:57:34.957 *DEBUG* [qtp499816707-2364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
11.02.2021 15:41:14.723 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8730, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent UNREGISTERING
11.02.2021 15:41:14.727 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8776, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED
11.02.2021 15:41:45.103 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
11.02.2021 15:41:45.108 *ERROR* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Unable to validate signature.
javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.verifyElementSignature(SamlReader.java:368) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:241) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:122) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:109) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:805) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:499) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:735) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:131) [org.apache.sling.engine:2.6.18]
	at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:82) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1002) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:326) [org.apache.sling.security:1.1.16]
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97) [org.apache.felix.http.sslfilter:1.2.6]
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1012) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49) [org.apache.felix.http.jetty:4.0.8]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) [org.apache.felix.http.servlet-api:1.1.2]
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.Server.handle(Server.java:502) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [org.apache.felix.http.jetty:4.0.8]
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
	at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:211)
	at java.security.Signature$Delegate.engineVerify(Signature.java:1394)
	at java.security.Signature.verify(Signature.java:771)
	at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:238) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:562) [com.adobe.granite.auth.saml:1.0.24]
	... 55 common frames omitted
11.02.2021 15:41:45.109 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

 

Please let me know if I am missing anything. I tried to refer many community links but it is not resolved.

 

Thanks,

Adithya.

 

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Vijayalakshmi_S

Hi @adithyaa6344757,

Service Provider Entity ID should be the one configured in IDP - SSOCircle.

In your case, it should be AEMSAMLServiceaadi  instead of http://localhost:4502/saml_login in Service Provider Entity ID

Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)

3 replies

SureshDhulipudi
Community Advisor
SureshDhulipudiCommunity Advisor
Community Advisor
February 15, 2021

Generally the "Service Provider Entity ID" should be the environment URL (Dev, UAT etc) , this URL should identify by the Service Provider (SAML)

is this SAML configuration working with Dev or any other environment URLs?

    Ankur_Khare
    Community Advisor
    Ankur_KhareCommunity Advisor
    Community Advisor
    February 15, 2021

    Issue is with key store try to reconfiguring it.

    Step by step details here-

    https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-6-4-saml-integration-with-sso/qaq-p/388634/comment-id/83082#M83082

     

     

      A
      adithyaa6344757Author
      Level 3
      February 15, 2021

      Thanks Ankur for the details. I followed the process according to the link that you had provided, it still says the same. I tried to re-configure the key store too.

       

      4.02.2021 22:24:48.375 *DEBUG* [qtp1785193178-1799] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
14.02.2021 22:24:48.375 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
14.02.2021 22:24:48.376 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

      Thanks,
      Adithya.

       

      Vijayalakshmi_S
      Vijayalakshmi_SAccepted solution
      Level 10
      March 2, 2021

      Hi @adithyaa6344757,

      Service Provider Entity ID should be the one configured in IDP - SSOCircle.

      In your case, it should be AEMSAMLServiceaadi  instead of http://localhost:4502/saml_login in Service Provider Entity ID

      Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)

        Terms & ConditionsAccessibility statement

        Loading footer...