I am working through this tutorial, trying to get SAML SSO to work.
I am using Azure AD as the identity provider, and I have a local instance of AEM 6.4 running on my machine. To expose it to the internet, I am using a tool called ngrok.
I have also followed the instructions here to configure the SAML logger
When I attempt to log in, the logger reports these errors
com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
Here's how the app is configured in Azure:
Here is how it is set up in AEM:
Here's my Global Trust Store
Here's what it looks like when I try to log in with Azure
What am I missing?
You need to capture the SAML Response from your Idp and inspect it to understand why it failed.
Just capture the browser network traffic, save that traffic as a HAR file
Use something like Google's HAR analyzer to inspect that traffic -- https://toolbox.googleapps.com/apps/har_analyzer/
Find the POST request to your Idp
You need to base64 decode the SAMLResponse using something like : https://www.samltool.com/decode.php
The SAMLResponse will tell you everything.
AEM isn't doing anything special here, it's just looking for the SAMLResponse to have a signed assertion and a success message.
In all likelihood it's a misconfiguration on the Idp end -- especially since the log message you provided says the assertion is not signed.