SAML POST from Okta IDP to AEMaaCS failing | Community
Skip to main content
P
pardeepg4829047
Level 3
May 30, 2023
Solved

SAML POST from Okta IDP to AEMaaCS failing

  • May 30, 2023
  • 1 reply
  • 933 views

We are doing SAML integration with Okta IDP on AEM Publisher and after doing all the required configurations, getting forbidden 403 when IDP is redirecting to AEM.

[26/May/2023:10:25:20 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "GET /content/cisco-dcloud/us/en/home/secure.html" 200 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com
[26/May/2023:10:25:23 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "POST /content/cisco-dcloud/saml_login" 403 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com

 

We have allowed the POST request to */saml_login in filter rules on dispatcher as shown below but still getting 403 on POST request:

 

# Allow SAML HTTP POST to ../saml_login end points
/0110 { /type "allow" /method "POST" /url "*/saml_login" }

 

Please suggest what can be the issue.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by aanchal-sikka

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2-0.html?lang=en#configure-referrer-filter

 

requesting you to please cross-check if all steps are implemented.

1 reply

aanchal-sikka
Community Advisor
aanchal-sikkaCommunity AdvisorAccepted solution
Community Advisor
May 30, 2023

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2-0.html?lang=en#configure-referrer-filter

 

requesting you to please cross-check if all steps are implemented.

Aanchal Sikka
    P
    pardeepg4829047Author
    Level 3
    May 30, 2023

    @aanchal-sikka  - we have already done the required configurations for CORS and Referrer Filter configs as per below but still the issue persists.

     

    CORS:

    {

    "alloworigin": [

    "$[env:SAML_IDP_ORIGIN;default=http://www.okta.com]"

    ],

    "allowedpaths": [

    ".*/saml_login"

    ],

    "supportedmethods": [

    "POST"

    ]

    }

     

    Referrer Filter:

    {

    "allow.empty": true,

    "allow.hosts.regexp": "http://www.okta.com",

    "allow.hosts": [

    "$[env:SAML_IDP_REFERRER;default=http://www.okta.com]"

    ],

    "filter.methods": [

    "POST"

    ],

    "exclude.agents.regexp": [ ]

    }

      P
      pardeepg4829047Author
      Level 3
      June 1, 2023

      The issue was with incorrect host in referrer filter. We identified the correct referrer from SAML response.

       

      We changed the below entry to fix the issue:

       

      $[env:SAML_IDP_REFERRER;default=http://www.okta.com]

       

      to 

       

      $[env:SAML_IDP_REFERRER;default=int-id.cisco.com]

        Terms & ConditionsAccessibility statement

        Loading footer...