Hi, We are working on setting up the SSO configuration in ATCO and we are using AEM 6.1 version but we are facing Authentication Failed issue. Please help if you have any idea if we are missing any configuration which are required for authentication step. Trying to setup SSO for Author instance.
Here are the steps which we have performed after following the url - http://www.aemstuff.com/blogs/july/saml.html
In the saml.log, seeing this message -
08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
08.12.2015 03:05:42.709 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:42.710 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
SAML response from the IDP server looks right, it has all the required attributes and statusCode is success-
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
<AttributeStatement> <Attribute Name="MUID"> <AttributeValue>XXX@x.com</AttributeValue> </Attribute> <Attribute Name="FirstName"> <AttributeValue>Sandeep</AttributeValue> </Attribute> <Attribute Name="LastName"> <AttributeValue>Maheshwari</AttributeValue> </Attribute> </AttributeStatement>
https hearder is showing -
HTTP/?.? 403 ForbiddenContent-Encoding: gzipContent-Type: text/plain; charset=UTF-8Date: Tue, 08 Dec 2015 20:17:13 GMT
Solved! Go to Solution.
Hi Sandeep,
recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:
Regards,
Opkar
Path: /
Service Ranking: 5002
IDP URL: https://<server>/adfs/ls/
IP Certificate Alias certalias__1443595127771
IDP HTTP Redirect: <Not selected>
Service Provider Entity ID :https://<AEM Server>/saml_login
SP Private Key Alias: <Empty>
Password of Key Store: <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>
Default Redirect: /
UserID Attribute: http://schemas.xmlsoap.org/claims/CommonName
Use Encryption: <Not selected>
Autocreate CRX Users: <Not selected>
Add to Groups: <Not selected>
Group Membership: <Empty>
NameIDPolicy format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName
Hi
Please refer to the forum post having same question.
I hope this would help you.
Thanks and Regards
Kautuk Sahni
Thanks Kautuk for the reply. I have already looked into the steps which are there in the link but still facing the same authentication failed error. I could not able to perform below step as this configuration is only available for publisher and i am trying to setup it for Author. Any idea ? what else i need to configure or check.
Double check SlingAuthenticator configuration in your publisher instance.
You may want to have the /apps/<projectname>/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config
Hi
I have asked internal experts to have a look on this. I will revert you back or they will revert you with some suggestions.
Thanks and Regards
Kautuk Sahni
Hi Sandeep,
recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:
Regards,
Opkar
Path: /
Service Ranking: 5002
IDP URL: https://<server>/adfs/ls/
IP Certificate Alias certalias__1443595127771
IDP HTTP Redirect: <Not selected>
Service Provider Entity ID :https://<AEM Server>/saml_login
SP Private Key Alias: <Empty>
Password of Key Store: <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>
Default Redirect: /
UserID Attribute: http://schemas.xmlsoap.org/claims/CommonName
Use Encryption: <Not selected>
Autocreate CRX Users: <Not selected>
Add to Groups: <Not selected>
Group Membership: <Empty>
NameIDPolicy format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName
Hi,
Looks like that you did not provide the right cryptograhical keys. Please check the offical documentation [1] how to provide these.
kind regards,
Jörg
Views
Replies
Total Likes
much much appreciated and thanks in a bunch. I have fixed my configuration after referring provided suggestions and it seems working now, i was missing below configurations -
1) NameIDPolicyFormat -- i was using empty field
2) removed saml_login node from the etc/key.
Thanks again :-) :)
Views
Replies
Total Likes