6.4 "Invalid SAML token" error

grantc99475970

14-10-2020

I am working through this tutorial, trying to get SAML SSO to work.

I am using Azure AD as the identity provider, and I have a local instance of AEM 6.4 running on my machine. To expose it to the internet, I am using a tool called ngrok.

 

I have also followed the instructions here to configure the SAML logger

 

When I attempt to log in, the logger reports these errors

com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token    

 

Here's how the app is configured in Azure:

 
 

image.png

 

image.png

 

Here is how it is set up in AEM:

 

image.png

image.png

Here's my Global Trust Store

image.png

 

Here's what it looks like when I try to log in with Azure

image.png

 

What am I missing?

AEM 6.4 SAML2.0

Accepted Solutions (1)

Accepted Solutions (1)

vanegi

Employee

16-10-2020

Hi @grantc99475970,

The cause for errors [0] is a difference between the Login URL defined in Azure AD and the Service Provided Entity ID defined in SAML 2.0 Authentication handler. 

Both the values have to be aligned and the value returned by the IDP can be seen in the response like:

 

 

 

[0]:

com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token    

 

 

I see, you have provided Service provider entity ID as https://a20d1c987456.ngrok.io/adobe_experience_manager in IDP but on checking the same in saml authentication handler config, I see a different value which is causing the issue here.

 

You have to define the audience value returned in the SAML response which seems to be https://a20d1c987456.ngrok.io/adobe_experience_manager to the Service Provider Entity ID in the AEM SAML configuration.

 

Also, do mention the default group in SAML config as administrators so that when user after successful authentication from IDP can be added to this by default.

 

Thanks!!

Answers (1)

Answers (1)

aemmarc

Employee

15-10-2020

You need to capture the SAML Response from your Idp and inspect it to understand why it failed.

 

Just capture the browser network traffic, save that traffic as a HAR file 

-- then

Use something like Google's HAR analyzer to inspect that traffic -- https://toolbox.googleapps.com/apps/har_analyzer/

-- then

Find the POST request to your Idp

-- then 

You need to base64 decode the SAMLResponse using something like : https://www.samltool.com/decode.php

 

The SAMLResponse will tell you everything. 


AEM isn't doing anything special here, it's just looking for the SAMLResponse to have a signed assertion and a success message. 

In all likelihood it's a misconfiguration on the Idp end -- especially since the log message you provided says the assertion is not signed.