6.4 "Invalid SAML token" error

Avatar

Avatar

grantc99475970

Avatar

grantc99475970

grantc99475970

14-10-2020

I am working through this tutorial, trying to get SAML SSO to work.

I am using Azure AD as the identity provider, and I have a local instance of AEM 6.4 running on my machine. To expose it to the internet, I am using a tool called ngrok.

 

I have also followed the instructions here to configure the SAML logger

 

When I attempt to log in, the logger reports these errors

com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token    

 

Here's how the app is configured in Azure:

 
 

image.png

 

image.png

 

Here is how it is set up in AEM:

 

image.png

image.png

Here's my Global Trust Store

image.png

 

Here's what it looks like when I try to log in with Azure

image.png

 

What am I missing?

AEM 6.4 SAML2.0
View Entire Topic

Avatar

Avatar

aemmarc

Employee

Avatar

aemmarc

Employee

aemmarc
Employee

15-10-2020

You need to capture the SAML Response from your Idp and inspect it to understand why it failed.

 

Just capture the browser network traffic, save that traffic as a HAR file 

-- then

Use something like Google's HAR analyzer to inspect that traffic -- https://toolbox.googleapps.com/apps/har_analyzer/

-- then

Find the POST request to your Idp

-- then 

You need to base64 decode the SAMLResponse using something like : https://www.samltool.com/decode.php

 

The SAMLResponse will tell you everything. 


AEM isn't doing anything special here, it's just looking for the SAMLResponse to have a signed assertion and a success message. 

In all likelihood it's a misconfiguration on the Idp end -- especially since the log message you provided says the assertion is not signed.