I have SAML set up to create new users with a default access group on creation. When new users log in to the site, their user account is created but they hit a 404 error on page load. We have a CUG enabled on the top level site page for the default user group that the user is added to on first log in. If the user refreshes the page, it will load, but no matter what, users hit a 404 on first log in.
We had a similar setup with a different user group name on our old 6.3 instance and never had this issue.
Is there a change in the SAML handling between 6.3 and 6.5? What can we do or change to prevent hitting a 404 on first log in for new users beyond ensuring that the users are created in advance (not an option)?
Solved! Go to Solution.
Views
Replies
Total Likes
@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.
@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.
Views
Replies
Total Likes
Hi @jetate,
Do you see "success" in saml response, and other attributes like email, first name etc getting stored under user profile node in crxde? Can you keep the default group to "administrators" in Adobe Granite SAML 2.0 Authentication Handler config and verify the use case if you still see 404? In case you still see the error, please share the following:
Here is the sample saml response for reference:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="http://vanegi-WX-1:4502/saml_login" ID="id165981227872087111522592179" InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id165981227872087111522592179">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>VjO7jLPwV19OyXBGtw01P29ig0RxRm9xvoUCV0mW9Mk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gSJ9UYgtfq6aQ2p7kTMDHC1JZQ1siNjB/kkZzppEvccNOFtcV3L5SlSekUzxTY3wVv6dSWyZB+D22LPlUraMG91eO4Sj0wP1lysGyYKcAMu020F3U3nuD78wpqvPu1Cd3gLpJoe2/cRErxmntvlEwbHaYcLL6JY3TZITzsKRBAecVNafD1ieYzPJ+NMw6qwC5zWL947S7SmBprEIFY0C1cPaLfR8/T7ti2jZvqkbszgfjFsaz5LjAIUbYez7MZn13MMXQ/h1ytjFW4pyvOF4m4hs5eT8L/t0cWoiz2tkwPtjO2OuZ5ZJ09Qs95r64r8DfU1PMgWZpKlKUI09N0gERg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB
Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD
VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa
BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8
Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0
MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo
xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ
xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4
TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R
prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+
NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b
55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2
sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id16598122787298689136258742" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id16598122787298689136258742">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>2dg20BJUERp3olxYBAv7JF2hOMfSN2PDnw70LR7mHFg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aOP9NZU8MQIXAh2uInduZmKITqn2Ya3ObQF63qnOhtUP++JK7tDTlDQyuzQKFiKmsr84yQRRZI7E1e6Q3ROENNGJ5daJbkA0QTJTU8SQTWpOZKcI9cFiwutMpCBDEpHdEzN2HBsbi0Q/kK0bKgiJROPOv7DXAVt/abYdJojUOpgInTkuua+ifxk6PcKfxpwbNEQk+NhNpQu5kXIUKdFhpRPVwY/kf8exZ1qUQsKbNvmeyhx+l1UBKJsDnP9iIKqgduLvC2/CuBZI9QkWDizvsUjBhLoxtdlWEwK9iPvfLIo2IkDEm1WCi1+8gBwXTLo71i5iFp/bpQRA8oYkcOoLwA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB
Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD
VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa
BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8
Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0
MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo
xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ
xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4
TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R
prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+
NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b
55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2
sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vanegi@adobe.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" NotOnOrAfter="2019-03-03T03:44:33.109Z" Recipient="http://vanegi-WX-1:4502/saml_login"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2019-03-03T03:34:33.109Z" NotOnOrAfter="2019-03-03T03:44:33.109Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://vanegi-WX-1:4502/projects.html</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2019-03-03T03:39:33.109Z" SessionIndex="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi@adobe.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vaishali</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Negi</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Customer Experience</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks!!
Hi @jetate
Are you using multiple publishers and user sync is enabled between publishers? There might be the case that usr sync is taking some time to create new users on other publishers and the user is hitting the other publisher in first call.
Check if the user sync is working properly as well the time it is taking to sync newly created user.
Hope it helps!
Thanks!
Nupur
Views
Replies
Total Likes
Views
Replies
Total Likes
The default group configuration still works the same between 6.3 and 6.5. I would suggest to enable debug logging for com.adobe.granite.auth.saml and see if there is some error when it tries to add the user as a member of the default group. Also, make sure you don't have any duplicate invalid SAML OSGi configs.
Views
Likes
Replies