Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM 6.1 SAML Authentication Failed

sandeepm744005
Level 5
Level 5

Hi, We are working on setting up the SSO configuration in ATCO and we are using AEM 6.1 version but we are facing Authentication Failed issue. Please help if you have any idea if we are missing any configuration which are required for authentication step. Trying to setup SSO for Author instance.

 

Here are the steps which we have performed after following the url - http://www.aemstuff.com/blogs/july/saml.html

 

  1. Add IdP public cert to AEM truststore
  2. Add SP key and certificate chain to AEM keystore (authentication-service)
  3. Configured SAML Authenticator Handler
  4. Configured Referrer Filter.

In the saml.log, seeing this message - 

08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:07.561 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
08.12.2015 03:05:42.709 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Could not retrieve SP's private key: Uninitialised key store for user authentication-service
08.12.2015 03:05:42.710 *WARN* [qtp644454687-195266] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

SAML response from the IDP server looks right, it has all the required attributes and statusCode is success-

<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
<AttributeStatement> <Attribute Name="MUID"> <AttributeValue>XXX@x.com</AttributeValue> </Attribute> <Attribute Name="FirstName"> <AttributeValue>Sandeep</AttributeValue> </Attribute> <Attribute Name="LastName"> <AttributeValue>Maheshwari</AttributeValue> </Attribute> </AttributeStatement>

https hearder is showing - 

HTTP/?.? 403 ForbiddenContent-Encoding: gzipContent-Type: text/plain; charset=UTF-8Date: Tue, 08 Dec 2015 20:17:13 GMT
1 Accepted Solution
Opkar_Gill
Correct answer by
Employee
Employee

Hi Sandeep,

recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:

Regards,

Opkar

Path: /

Service Ranking: 5002

IDP URL: https://<server>/adfs/ls/

IP Certificate Alias certalias__1443595127771

IDP HTTP Redirect: <Not selected>

Service Provider Entity ID :https://<AEM Server>/saml_login

SP Private Key Alias:  <Empty>

Password of Key Store:  <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>

Default Redirect: /

UserID Attribute:  http://schemas.xmlsoap.org/claims/CommonName

Use Encryption:  <Not selected>

Autocreate CRX Users:  <Not selected>

Add to Groups: <Not selected>

Group Membership:  <Empty>

NameIDPolicy format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName

View solution in original post

6 Replies
kautuk_sahni
Community Manager
Community Manager

Hi

Please refer to the forum post having same question.

Link:- http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manage... 

I hope this would help you.

Thanks and Regards

Kautuk Sahni

sandeepmaheshwa
Level 2
Level 2

Thanks Kautuk for the reply. I have already looked into the steps which are there in the link but still facing the same authentication failed error. I could not able to perform below step as this configuration is only available for publisher and i am trying to setup it for Author. Any idea ? what else i need to configure or check.

Double check SlingAuthenticator configuration in your publisher instance. 

You may want to have the /apps/<projectname>/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config

kautuk_sahni
Community Manager
Community Manager

Hi

I have asked internal experts to have a look on this. I will revert you back or they will revert you with some suggestions.

Thanks and Regards

Kautuk Sahni

Opkar_Gill
Correct answer by
Employee
Employee

Hi Sandeep,

recently when I set up AEM6.1 and SAML, I did not create the node at /etc/key/saml, I did follow the instructions at http://www.aemstuff.com/blogs/july/saml.html. Also, we created users in AEM(no auto-create). Please make sure when you add anything to the SAML OSGI configuration, you do not add any trailing white spaces, this tripped me up on one occasion. The settings we used are listed blow:

Regards,

Opkar

Path: /

Service Ranking: 5002

IDP URL: https://<server>/adfs/ls/

IP Certificate Alias certalias__1443595127771

IDP HTTP Redirect: <Not selected>

Service Provider Entity ID :https://<AEM Server>/saml_login

SP Private Key Alias:  <Empty>

Password of Key Store:  <added value from step 2 in http://www.aemstuff.com/blogs/july/saml.html>

Default Redirect: /

UserID Attribute:  http://schemas.xmlsoap.org/claims/CommonName

Use Encryption:  <Not selected>

Autocreate CRX Users:  <Not selected>

Add to Groups: <Not selected>

Group Membership:  <Empty>

NameIDPolicy format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Synchronized Attributes: http://schemas.xmlsoap.org/claims/CommonName

View solution in original post

Jörg_Hoh
Employee
Employee

Hi,

Looks like that you did not provide the right cryptograhical keys. Please check the offical documentation [1] how to provide these.

kind regards,
Jörg

[1] https://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html#Manag...

sandeepmaheshwa
Level 2
Level 2

much much appreciated and thanks in a bunch. I have fixed my configuration after referring provided suggestions and it seems working now, i was missing below configurations - 

1) NameIDPolicyFormat -- i was using empty field

2) removed saml_login node from the etc/key.

Thanks again 🙂 🙂