Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

6.4 "Invalid SAML token" error

Avatar

Level 3

I am working through this tutorial, trying to get SAML SSO to work.

I am using Azure AD as the identity provider, and I have a local instance of AEM 6.4 running on my machine. To expose it to the internet, I am using a tool called ngrok.

 

I have also followed the instructions here to configure the SAML logger

 

When I attempt to log in, the logger reports these errors

com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token    

 

Here's how the app is configured in Azure:

 
 

image.png

 

image.png

 

Here is how it is set up in AEM:

 

image.png

image.png

Here's my Global Trust Store

image.png

 

Here's what it looks like when I try to log in with Azure

image.png

 

What am I missing?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

6.4
1 Accepted Solution

Avatar

Correct answer by
Employee

Hi @grantc99475970,

The cause for errors [0] is a difference between the Login URL defined in Azure AD and the Service Provided Entity ID defined in SAML 2.0 Authentication handler. 

Both the values have to be aligned and the value returned by the IDP can be seen in the response like:

 

 

 

[0]:

com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token    

 

 

I see, you have provided Service provider entity ID as https://a20d1c987456.ngrok.io/adobe_experience_manager in IDP but on checking the same in saml authentication handler config, I see a different value which is causing the issue here.

 

You have to define the audience value returned in the SAML response which seems to be https://a20d1c987456.ngrok.io/adobe_experience_manager to the Service Provider Entity ID in the AEM SAML configuration.

 

Also, do mention the default group in SAML config as administrators so that when user after successful authentication from IDP can be added to this by default.

 

Thanks!!

View solution in original post

3 Replies

Avatar

Employee

You need to capture the SAML Response from your Idp and inspect it to understand why it failed.

 

Just capture the browser network traffic, save that traffic as a HAR file 

-- then

Use something like Google's HAR analyzer to inspect that traffic -- https://toolbox.googleapps.com/apps/har_analyzer/

-- then

Find the POST request to your Idp

-- then 

You need to base64 decode the SAMLResponse using something like : https://www.samltool.com/decode.php

 

The SAMLResponse will tell you everything. 


AEM isn't doing anything special here, it's just looking for the SAMLResponse to have a signed assertion and a success message. 

In all likelihood it's a misconfiguration on the Idp end -- especially since the log message you provided says the assertion is not signed.

Avatar

Level 4
There are lots of good debugging suggestions here, Thank you! Do you know how change the location where users are created when using the SAML2 handler (it would be a good config option)? I saw in a forum the handler needs to be extended and the default handler removed or disabled, but I'm not clear on how to do it.

Avatar

Correct answer by
Employee

Hi @grantc99475970,

The cause for errors [0] is a difference between the Login URL defined in Azure AD and the Service Provided Entity ID defined in SAML 2.0 Authentication handler. 

Both the values have to be aligned and the value returned by the IDP can be seen in the response like:

 

 

 

[0]:

com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token    

 

 

I see, you have provided Service provider entity ID as https://a20d1c987456.ngrok.io/adobe_experience_manager in IDP but on checking the same in saml authentication handler config, I see a different value which is causing the issue here.

 

You have to define the audience value returned in the SAML response which seems to be https://a20d1c987456.ngrok.io/adobe_experience_manager to the Service Provider Entity ID in the AEM SAML configuration.

 

Also, do mention the default group in SAML config as administrators so that when user after successful authentication from IDP can be added to this by default.

 

Thanks!!