SSO AEM, Azure - one last problem! | Community
Skip to main content
crich2784
crich2784
Level 6
August 20, 2023
Solved

SSO AEM, Azure - one last problem!

  • August 20, 2023
  • 2 replies
  • 1716 views

 

I have one last error!!!  I have followed all the instructions in AEM documentation from what I can tell.

The redirect to login.microsoft.com works.  

It redirects to /content/saml_login (also used /saml_login) - It returns a 403 error.

I inspected the payload and decode base 64 - looks pretty good!

I turned on TRACE for SAML in AEM

This is the response.

com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

I've unchecked and checked create User and add to groups (every combination) - no luck.

I've uploaded the certificate to Trust store several times and ensured password is good.  Tried mapping to user in this last try. No luck.

Created a Truststore for admin user - still no luck (didn't upload a cert to admin user)

Unchecked "Use encryption" - no luck.

Please, please, please, I need some other ideas . . . thanks.

 

Below are strategic screenshots

 

 

 

 

 

 

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by crich2784

Hello @crich2784 

 

Can you please enable the SAML trace logs and check if this behavior is observed specifically for GET requests? POST requests should be successful. saml_login can only address POST requests. GET would throw 403.

 

If yes, the GET requests need to be blocked from reaching AEM. In the blog, its controlled via dispatcher sitting in front on author.

 

 


Ok, I had a call with Adobe support and I think we figured it out.

The /saml_login was getting a 403 because it was not contained within the authenticated path.

 

For example, if my SAML authentication path is /aem - I would need to configure /aem/saml_login as the reply URL.  This make the saml_login within the authenticated path of /aem.

 

Once this change was made, I was able to get passed the 403 error, but then we had permissions issue so, /aem/start.html would not load.  I had to add the correct permissions to the group "AzureUsers" in order for the authenticated user to see AEM.

 

All is good now.  Thank you for your help.

2 replies

aanchal-sikka
Community Advisor
aanchal-sikkaCommunity Advisor
Community Advisor
August 21, 2023

Hello @crich2784 

 

Please check for following as suggested in the blog post:

 

Issue-1: ‘Resource at ‘/saml_login’ not found: No resource found’ due to intermittent GET requests.

Resolution: The “saml_login” Servlet only handles POST requests. Hence, if you noticing intermittent GET requests, resulting in resource not found error, then deny GET request to “/saml_login” on Author.

 

Add the following filter rule to Dispatcher

/0207 { /type "deny" /method "GET" /url "*/saml_login" }

 

Issue-3: ‘Resource at ‘/saml_login’ not found: No resource found’ for POST requests.

Resolution: Assure that “POST” request isn’t blocked on dispatcher level. Following filter rule should be available

/0208 { /type "allow" /method "POST" /url "*/saml_login" }

 

 

https://techrevel.blog/2021/02/01/configuring-aem-for-single-sign-on-via-azure-ad/

Aanchal Sikka
    crich2784
    crich2784Author
    Level 6
    August 21, 2023

    We are using the quickstart jar on an Author instance.  We do not have a Dispatcher installed.  So unless I'm missing something, how do I clear up the 403 on /saml_login on Author? @aanchal-sikka 

      aanchal-sikka
      Community Advisor
      aanchal-sikkaCommunity Advisor
      Community Advisor
      August 22, 2023

      Hello @crich2784 

       

      Can you please enable the SAML trace logs and check if this behavior is observed specifically for GET requests? POST requests should be successful. saml_login can only address POST requests. GET would throw 403.

       

      If yes, the GET requests need to be blocked from reaching AEM. In the blog, its controlled via dispatcher sitting in front on author.

       

       

      Aanchal Sikka
        sherinregi-1
        Community Advisor
        sherinregi-1Community Advisor
        Community Advisor
        August 21, 2023

        hi @crich2784 

        Can you also check the below two AEM configs that allows POST 

        add you allowed origin here 

         

         

        This one also to make sure there is no blocking of post at the AEM level.

         

        One more thing  I observed from your deflated SAML response is the recipient is configured to an https domain ending with.com . Not very sure it will have an impact. In our case we have the respective request domain configured there.

         

          crich2784
          crich2784Author
          Level 6
          August 21, 2023

          The recipient in the XML is the Reply URL in Azure.  Not sure why .com would matter.

           

          This is my referrer.  I have tried wiht Allow Empty unchecked and add POST to filter methods.  No luck there either.

           

          Here is the Cross-Origin Resource Sharing policy.  

           

          I think I have all this correct.

           

           

            Terms & ConditionsAccessibility statement

            Loading footer...