Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AEM 6.5 SAML Default User Group Login 404 Error

Avatar

Level 4

I have SAML set  up to create new users with a default access group on creation. When new users log in to the site, their user account is created but they hit a 404 error on page load. We have a CUG enabled on the top level site page for the default user group that the user is added to on first log in. If the user refreshes the page, it will load, but no matter what, users hit a 404 on first log in.

We had a similar setup with a different user group name on our old 6.3 instance and never had this issue.

Is there a change in the SAML handling between 6.3 and 6.5? What can we do or change to prevent hitting a 404 on first log in for new users beyond ensuring that the users are created in advance (not an option)?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.

View solution in original post

7 Replies

Avatar

Correct answer by
Community Advisor

@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.

Avatar

Level 4
The user is getting created. We suspect this is an issue with our load balancer where the user is logging on to one pub but hitting another before the user info is synced, as @Nupur_Jain said. We had sticky sessions on our 6.3 instance but do not have that on the new one.

Avatar

Employee

Hi @jetate,

Do you see "success" in saml response, and other attributes like email, first name etc getting stored under user profile node in crxde? Can you keep the default group to "administrators" in Adobe Granite SAML 2.0 Authentication Handler config and verify the use case if you still see 404? In case you still see the error, please share the following:

 

 

 

Here is the sample saml response for reference:

 

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="http://vanegi-WX-1:4502/saml_login" ID="id165981227872087111522592179" InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

    <ds:SignedInfo>

      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

      <ds:Reference URI="#id165981227872087111522592179">

        <ds:Transforms>

          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

          </ds:Transform>

        </ds:Transforms>

        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

        <ds:DigestValue>VjO7jLPwV19OyXBGtw01P29ig0RxRm9xvoUCV0mW9Mk=</ds:DigestValue>

      </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>gSJ9UYgtfq6aQ2p7kTMDHC1JZQ1siNjB/kkZzppEvccNOFtcV3L5SlSekUzxTY3wVv6dSWyZB+D22LPlUraMG91eO4Sj0wP1lysGyYKcAMu020F3U3nuD78wpqvPu1Cd3gLpJoe2/cRErxmntvlEwbHaYcLL6JY3TZITzsKRBAecVNafD1ieYzPJ+NMw6qwC5zWL947S7SmBprEIFY0C1cPaLfR8/T7ti2jZvqkbszgfjFsaz5LjAIUbYez7MZn13MMXQ/h1ytjFW4pyvOF4m4hs5eT8L/t0cWoiz2tkwPtjO2OuZ5ZJ09Qs95r64r8DfU1PMgWZpKlKUI09N0gERg==</ds:SignatureValue>

    <ds:KeyInfo>

      <ds:X509Data>

        <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </ds:Signature>

  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

  </saml2p:Status>

  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id16598122787298689136258742" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:SignedInfo>

        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

        <ds:Reference URI="#id16598122787298689136258742">

          <ds:Transforms>

            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

            </ds:Transform>

          </ds:Transforms>

          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

          <ds:DigestValue>2dg20BJUERp3olxYBAv7JF2hOMfSN2PDnw70LR7mHFg=</ds:DigestValue>

        </ds:Reference>

      </ds:SignedInfo>

      <ds:SignatureValue>aOP9NZU8MQIXAh2uInduZmKITqn2Ya3ObQF63qnOhtUP++JK7tDTlDQyuzQKFiKmsr84yQRRZI7E1e6Q3ROENNGJ5daJbkA0QTJTU8SQTWpOZKcI9cFiwutMpCBDEpHdEzN2HBsbi0Q/kK0bKgiJROPOv7DXAVt/abYdJojUOpgInTkuua+ifxk6PcKfxpwbNEQk+NhNpQu5kXIUKdFhpRPVwY/kf8exZ1qUQsKbNvmeyhx+l1UBKJsDnP9iIKqgduLvC2/CuBZI9QkWDizvsUjBhLoxtdlWEwK9iPvfLIo2IkDEm1WCi1+8gBwXTLo71i5iFp/bpQRA8oYkcOoLwA==</ds:SignatureValue>

      <ds:KeyInfo>

        <ds:X509Data>

          <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </ds:Signature>

    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vanegi@adobe.com</saml2:NameID>

      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <saml2:SubjectConfirmationData InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" NotOnOrAfter="2019-03-03T03:44:33.109Z" Recipient="http://vanegi-WX-1:4502/saml_login"/>

      </saml2:SubjectConfirmation>

    </saml2:Subject>

    <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2019-03-03T03:34:33.109Z" NotOnOrAfter="2019-03-03T03:44:33.109Z">

      <saml2:AudienceRestriction>

        <saml2:Audience>http://vanegi-WX-1:4502/projects.html</saml2:Audience>

      </saml2:AudienceRestriction>

    </saml2:Conditions>

    <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2019-03-03T03:39:33.109Z" SessionIndex="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41">

      <saml2:AuthnContext>

        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

      </saml2:AuthnContext>

    </saml2:AuthnStatement>

    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi@adobe.com</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vaishali</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Negi</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="Department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Customer Experience</saml2:AttributeValue>

      </saml2:Attribute>

    </saml2:AttributeStatement>

  </saml2:Assertion>

</saml2p:Response>

 

 

Thanks!!

Avatar

Community Advisor

Hi @jetate 

 

Are you using multiple publishers and user sync is enabled between publishers? There might be the case that usr sync is taking some time to create new users on other publishers and the user is hitting the other publisher in first call. 

 

Check if the user sync is working properly as well the time it is taking to sync newly created user.

 

Hope it helps!

Thanks!

Nupur

Avatar

Level 4
After some testing, this is exactly what I think is happening. We have a dispatcher with a load balancer and 3 publishers, and I believe that our user is logging in to one pub and hitting another while the attributes are being synced. On our old instance, we had sticky sessions which are no set up on the 6.5 instance. Sync is working properly, and we did some tests with only one active pub and did not have the login issue. We're going to work with the instance team to set up some cookies to try to hold the user to the login pub while sync processes.

Avatar

Community Advisor
Glad it pointed you to some direction.

Avatar

Employee

The default group configuration still works the same between 6.3 and 6.5.  I would suggest to enable debug logging for com.adobe.granite.auth.saml and see if there is some error when it tries to add the user as a member of the default group.  Also, make sure you don't have any duplicate invalid SAML OSGi configs.