AEM 6.1 SAML Authentication Failed | Community
Skip to main content
sandeepm744005
sandeepm744005
Level 5
December 8, 2015
Solved

AEM 6.1 SAML Authentication Failed

  • December 8, 2015
  • 6 replies
  • 5721 views

Hi, We are working on setting up the SSO configuration in ATCO and we are using AEM 6.1 version but we are facing Authentication Failed issue. Please help if you have any idea if we are missing any configuration which are required for authentication step. Trying to setup SSO for Author instance.

 

Here are the steps which we have performed after following the url - http://www.aemstuff.com/blogs/july/saml.html

 

  1. Add IdP public cert to AEM truststore
  2. Add SP key and certificate chain to AEM keystore (authentication-service)
  3. Configured SAML Authenticator Handler
  4. Configured Referrer Filter.

In the saml.log, seeing this message - 

08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
08.12.2015 03:05:42.709 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:42.710 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

SAML response from the IDP server looks right, it has all the required attributes and statusCode is success-

<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
<AttributeStatement> <Attribute Name="MUID"> <AttributeValue>XXX@x.com</AttributeValue> </Attribute> <Attribute Name="FirstName"> <AttributeValue>Sandeep</AttributeValue> </Attribute> <Attribute Name="LastName"> <AttributeValue>Maheshwari</AttributeValue> </Attribute> </AttributeStatement>

https hearder is showing - 

HTTP/?.? 403 ForbiddenContent-Encoding: gzipContent-Type: text/plain; charset=UTF-8Date: Tue, 08 Dec 2015 20:17:13 GMT
    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by ogill

    Hi Sandeep,

    recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:

    Regards,

    Opkar

    Path: /

    Service Ranking: 5002

    IDP URL: https://<server>/adfs/ls/

    IP Certificate Alias certalias__1443595127771

    IDP HTTP Redirect: <Not selected>

    Service Provider Entity ID :https://<AEM Server>/saml_login

    SP Private Key Alias:  <Empty>

    Password of Key Store:  <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>

    Default Redirect: /

    UserID Attribute:  http://schemas.xmlsoap.org/claims/CommonName

    Use Encryption:  <Not selected>

    Autocreate CRX Users:  <Not selected>

    Add to Groups: <Not selected>

    Group Membership:  <Empty>

    NameIDPolicy format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName

    6 replies

    kautuk_sahni
    Community Manager
    kautuk_sahniCommunity Manager
    Community Manager
    December 9, 2015

    Hi

    Please refer to the forum post having same question.

    Link:- http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manager.topic.html/forum__9obl-i_am_tryingtoconfi.html 

    I hope this would help you.

    Thanks and Regards

    Kautuk Sahni

    Kautuk Sahni
      S
      sandeepmaheshwa
      Level 2
      December 9, 2015

      Thanks Kautuk for the reply. I have already looked into the steps which are there in the link but still facing the same authentication failed error. I could not able to perform below step as this configuration is only available for publisher and i am trying to setup it for Author. Any idea ? what else i need to configure or check.

      Double check SlingAuthenticator configuration in your publisher instance. 

      You may want to have the /apps/<projectname>/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        December 9, 2015

        Hi

        I have asked internal experts to have a look on this. I will revert you back or they will revert you with some suggestions.

        Thanks and Regards

        Kautuk Sahni

        Kautuk Sahni
          O
          Adobe Employee
          ogillAdobe EmployeeAccepted solution
          Adobe Employee
          December 9, 2015

          Hi Sandeep,

          recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:

          Regards,

          Opkar

          Path: /

          Service Ranking: 5002

          IDP URL: https://<server>/adfs/ls/

          IP Certificate Alias certalias__1443595127771

          IDP HTTP Redirect: <Not selected>

          Service Provider Entity ID :https://<AEM Server>/saml_login

          SP Private Key Alias:  <Empty>

          Password of Key Store:  <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>

          Default Redirect: /

          UserID Attribute:  http://schemas.xmlsoap.org/claims/CommonName

          Use Encryption:  <Not selected>

          Autocreate CRX Users:  <Not selected>

          Add to Groups: <Not selected>

          Group Membership:  <Empty>

          NameIDPolicy format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

          Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName

            joerghoh
            Adobe Employee
            joerghohAdobe Employee
            Adobe Employee
            December 9, 2015

            Hi,

            Looks like that you did not provide the right cryptograhical keys. Please check the offical documentation [1] how to provide these.

            kind regards,
            Jörg

            [1] https://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html#Managing%20Cryptographic%20Keys

            S
            sandeepmaheshwa
            Level 2
            December 9, 2015

            much much appreciated and thanks in a bunch. I have fixed my configuration after referring provided suggestions and it seems working now, i was missing below configurations - 

            1) NameIDPolicyFormat -- i was using empty field

            2) removed saml_login node from the etc/key.

            Thanks again :-) :)

            Terms & ConditionsAccessibility statement

            Loading footer...