AEM 6.5 SAML Default User Group Login 404 Error | Community
Skip to main content
jetate
jetate
Level 4
August 3, 2020
Solved

AEM 6.5 SAML Default User Group Login 404 Error

  • August 3, 2020
  • 4 replies
  • 3284 views

I have SAML set  up to create new users with a default access group on creation. When new users log in to the site, their user account is created but they hit a 404 error on page load. We have a CUG enabled on the top level site page for the default user group that the user is added to on first log in. If the user refreshes the page, it will load, but no matter what, users hit a 404 on first log in.

We had a similar setup with a different user group name on our old 6.3 instance and never had this issue.

Is there a change in the SAML handling between 6.3 and 6.5? What can we do or change to prevent hitting a 404 on first log in for new users beyond ensuring that the users are created in advance (not an option)?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Shashi_Mulugu

@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.

4 replies

Shashi_Mulugu
Community Advisor
Shashi_MuluguCommunity AdvisorAccepted solution
Community Advisor
August 4, 2020

@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.

    jetate
    jetateAuthor
    Level 4
    August 5, 2020
    The user is getting created. We suspect this is an issue with our load balancer where the user is logging on to one pub but hitting another before the user info is synced, as @nupur_jain said. We had sticky sessions on our 6.3 instance but do not have that on the new one.
    vanegi
    Adobe Employee
    vanegiAdobe Employee
    Adobe Employee
    August 4, 2020

    Hi @jetate,

    Do you see "success" in saml response, and other attributes like email, first name etc getting stored under user profile node in crxde? Can you keep the default group to "administrators" in Adobe Granite SAML 2.0 Authentication Handler config and verify the use case if you still see 404? In case you still see the error, please share the following:

     

     

     

    Here is the sample saml response for reference:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="http://vanegi-WX-1:4502/saml_login" ID="id165981227872087111522592179" InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:SignedInfo>

          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

          <ds:Reference URI="#id165981227872087111522592179">

            <ds:Transforms>

              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

              </ds:Transform>

            </ds:Transforms>

            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

            <ds:DigestValue>VjO7jLPwV19OyXBGtw01P29ig0RxRm9xvoUCV0mW9Mk=</ds:DigestValue>

          </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>gSJ9UYgtfq6aQ2p7kTMDHC1JZQ1siNjB/kkZzppEvccNOFtcV3L5SlSekUzxTY3wVv6dSWyZB+D22LPlUraMG91eO4Sj0wP1lysGyYKcAMu020F3U3nuD78wpqvPu1Cd3gLpJoe2/cRErxmntvlEwbHaYcLL6JY3TZITzsKRBAecVNafD1ieYzPJ+NMw6qwC5zWL947S7SmBprEIFY0C1cPaLfR8/T7ti2jZvqkbszgfjFsaz5LjAIUbYez7MZn13MMXQ/h1ytjFW4pyvOF4m4hs5eT8L/t0cWoiz2tkwPtjO2OuZ5ZJ09Qs95r64r8DfU1PMgWZpKlKUI09N0gERg==</ds:SignatureValue>

        <ds:KeyInfo>

          <ds:X509Data>

            <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

    MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

    Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

    BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

    VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

    BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

    AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

    Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

    MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

    xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

    xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

    TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

    prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

    NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

    55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

    sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

          </ds:X509Data>

        </ds:KeyInfo>

      </ds:Signature>

      <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

      </saml2p:Status>

      <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id16598122787298689136258742" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

          <ds:SignedInfo>

            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

            <ds:Reference URI="#id16598122787298689136258742">

              <ds:Transforms>

                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

                </ds:Transform>

              </ds:Transforms>

              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

              <ds:DigestValue>2dg20BJUERp3olxYBAv7JF2hOMfSN2PDnw70LR7mHFg=</ds:DigestValue>

            </ds:Reference>

          </ds:SignedInfo>

          <ds:SignatureValue>aOP9NZU8MQIXAh2uInduZmKITqn2Ya3ObQF63qnOhtUP++JK7tDTlDQyuzQKFiKmsr84yQRRZI7E1e6Q3ROENNGJ5daJbkA0QTJTU8SQTWpOZKcI9cFiwutMpCBDEpHdEzN2HBsbi0Q/kK0bKgiJROPOv7DXAVt/abYdJojUOpgInTkuua+ifxk6PcKfxpwbNEQk+NhNpQu5kXIUKdFhpRPVwY/kf8exZ1qUQsKbNvmeyhx+l1UBKJsDnP9iIKqgduLvC2/CuBZI9QkWDizvsUjBhLoxtdlWEwK9iPvfLIo2IkDEm1WCi1+8gBwXTLo71i5iFp/bpQRA8oYkcOoLwA==</ds:SignatureValue>

          <ds:KeyInfo>

            <ds:X509Data>

              <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

    MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

    Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

    BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

    VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

    BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

    AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

    Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

    MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

    xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

    xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

    TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

    prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

    NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

    55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

    sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

            </ds:X509Data>

          </ds:KeyInfo>

        </ds:Signature>

        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

          <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vanegi@adobe.com</saml2:NameID>

          <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

            <saml2:SubjectConfirmationData InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" NotOnOrAfter="2019-03-03T03:44:33.109Z" Recipient="http://vanegi-WX-1:4502/saml_login"/>

          </saml2:SubjectConfirmation>

        </saml2:Subject>

        <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2019-03-03T03:34:33.109Z" NotOnOrAfter="2019-03-03T03:44:33.109Z">

          <saml2:AudienceRestriction>

            <saml2:Audience>http://vanegi-WX-1:4502/projects.html</saml2:Audience>

          </saml2:AudienceRestriction>

        </saml2:Conditions>

        <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2019-03-03T03:39:33.109Z" SessionIndex="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41">

          <saml2:AuthnContext>

            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

          </saml2:AuthnContext>

        </saml2:AuthnStatement>

        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

          <saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi@adobe.com</saml2:AttributeValue>

          </saml2:Attribute>

          <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vaishali</saml2:AttributeValue>

          </saml2:Attribute>

          <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Negi</saml2:AttributeValue>

          </saml2:Attribute>

          <saml2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi</saml2:AttributeValue>

          </saml2:Attribute>

          <saml2:Attribute Name="Department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Customer Experience</saml2:AttributeValue>

          </saml2:Attribute>

        </saml2:AttributeStatement>

      </saml2:Assertion>

    </saml2p:Response>

     

     

    Thanks!!

      Nupur_Jain
      Adobe Employee
      Nupur_JainAdobe Employee
      Adobe Employee
      August 4, 2020

      Hi @jetate 

       

      Are you using multiple publishers and user sync is enabled between publishers? There might be the case that usr sync is taking some time to create new users on other publishers and the user is hitting the other publisher in first call. 

       

      Check if the user sync is working properly as well the time it is taking to sync newly created user.

       

      Hope it helps!

      Thanks!

      Nupur

        jetate
        jetateAuthor
        Level 4
        August 5, 2020
        After some testing, this is exactly what I think is happening. We have a dispatcher with a load balancer and 3 publishers, and I believe that our user is logging in to one pub and hitting another while the attributes are being synced. On our old instance, we had sticky sessions which are no set up on the 6.5 instance. Sync is working properly, and we did some tests with only one active pub and did not have the login issue. We're going to work with the instance team to set up some cookies to try to hold the user to the login pub while sync processes.
        akhoury
        Adobe Employee
        akhouryAdobe Employee
        Adobe Employee
        August 5, 2020

        The default group configuration still works the same between 6.3 and 6.5.  I would suggest to enable debug logging for com.adobe.granite.auth.saml and see if there is some error when it tries to add the user as a member of the default group.  Also, make sure you don't have any duplicate invalid SAML OSGi configs.

          Terms & ConditionsAccessibility statement

          Loading footer...