Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

AEM 6.1 SAML Authentication Failed

Avatar

Level 5

Hi, We are working on setting up the SSO configuration in ATCO and we are using AEM 6.1 version but we are facing Authentication Failed issue. Please help if you have any idea if we are missing any configuration which are required for authentication step. Trying to setup SSO for Author instance.

 

Here are the steps which we have performed after following the url - http://www.aemstuff.com/blogs/july/saml.html

 

  1. Add IdP public cert to AEM truststore
  2. Add SP key and certificate chain to AEM keystore (authentication-service)
  3. Configured SAML Authenticator Handler
  4. Configured Referrer Filter.

In the saml.log, seeing this message - 

08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
08.12.2015 03:05:42.709 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:42.710 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

SAML response from the IDP server looks right, it has all the required attributes and statusCode is success-

<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
<AttributeStatement> <Attribute Name="MUID"> <AttributeValue>XXX@x.com</AttributeValue> </Attribute> <Attribute Name="FirstName"> <AttributeValue>Sandeep</AttributeValue> </Attribute> <Attribute Name="LastName"> <AttributeValue>Maheshwari</AttributeValue> </Attribute> </AttributeStatement>

https hearder is showing - 

HTTP/?.? 403 ForbiddenContent-Encoding: gzipContent-Type: text/plain; charset=UTF-8Date: Tue, 08 Dec 2015 20:17:13 GMT
1 Accepted Solution

Avatar

Correct answer by
Employee

Hi Sandeep,

recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:

Regards,

Opkar

Path: /

Service Ranking: 5002

IDP URL: https://<server>/adfs/ls/

IP Certificate Alias certalias__1443595127771

IDP HTTP Redirect: <Not selected>

Service Provider Entity ID :https://<AEM Server>/saml_login

SP Private Key Alias:  <Empty>

Password of Key Store:  <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>

Default Redirect: /

UserID Attribute:  http://schemas.xmlsoap.org/claims/CommonName

Use Encryption:  <Not selected>

Autocreate CRX Users:  <Not selected>

Add to Groups: <Not selected>

Group Membership:  <Empty>

NameIDPolicy format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName

View solution in original post

6 Replies

Avatar

Administrator

Hi

Please refer to the forum post having same question.

Link:- http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manage... 

I hope this would help you.

Thanks and Regards

Kautuk Sahni



Kautuk Sahni

Avatar

Level 2

Thanks Kautuk for the reply. I have already looked into the steps which are there in the link but still facing the same authentication failed error. I could not able to perform below step as this configuration is only available for publisher and i am trying to setup it for Author. Any idea ? what else i need to configure or check.

Double check SlingAuthenticator configuration in your publisher instance. 

You may want to have the /apps/<projectname>/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config

Avatar

Administrator

Hi

I have asked internal experts to have a look on this. I will revert you back or they will revert you with some suggestions.

Thanks and Regards

Kautuk Sahni



Kautuk Sahni

Avatar

Correct answer by
Employee

Hi Sandeep,

recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:

Regards,

Opkar

Path: /

Service Ranking: 5002

IDP URL: https://<server>/adfs/ls/

IP Certificate Alias certalias__1443595127771

IDP HTTP Redirect: <Not selected>

Service Provider Entity ID :https://<AEM Server>/saml_login

SP Private Key Alias:  <Empty>

Password of Key Store:  <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>

Default Redirect: /

UserID Attribute:  http://schemas.xmlsoap.org/claims/CommonName

Use Encryption:  <Not selected>

Autocreate CRX Users:  <Not selected>

Add to Groups: <Not selected>

Group Membership:  <Empty>

NameIDPolicy format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName

Avatar

Employee Advisor

Hi,

Looks like that you did not provide the right cryptograhical keys. Please check the offical documentation [1] how to provide these.

kind regards,
Jörg

[1] https://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html#Manag...

Avatar

Level 2

much much appreciated and thanks in a bunch. I have fixed my configuration after referring provided suggestions and it seems working now, i was missing below configurations - 

1) NameIDPolicyFormat -- i was using empty field

2) removed saml_login node from the etc/key.

Thanks again :-) :)