AEM 6.5 SAML Default User Group Login 404 Error

jetate

03-08-2020

I have SAML set  up to create new users with a default access group on creation. When new users log in to the site, their user account is created but they hit a 404 error on page load. We have a CUG enabled on the top level site page for the default user group that the user is added to on first log in. If the user refreshes the page, it will load, but no matter what, users hit a 404 on first log in.

We had a similar setup with a different user group name on our old 6.3 instance and never had this issue.

Is there a change in the SAML handling between 6.3 and 6.5? What can we do or change to prevent hitting a 404 on first log in for new users beyond ensuring that the users are created in advance (not an option)?

SAML

Accepted Solutions (1)

Accepted Solutions (1)

Shashi_Mulugu

MVP

03-08-2020

@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.

Answers (3)

Answers (3)

akhoury

04-08-2020

The default group configuration still works the same between 6.3 and 6.5.  I would suggest to enable debug logging for com.adobe.granite.auth.saml and see if there is some error when it tries to add the user as a member of the default group.  Also, make sure you don't have any duplicate invalid SAML OSGi configs.

Nupur_Jain

MVP

04-08-2020

Hi @jetate 

 

Are you using multiple publishers and user sync is enabled between publishers? There might be the case that usr sync is taking some time to create new users on other publishers and the user is hitting the other publisher in first call. 

 

Check if the user sync is working properly as well the time it is taking to sync newly created user.

 

Hope it helps!

Thanks!

Nupur

vanegi

Employee

04-08-2020

Hi @jetate,

Do you see "success" in saml response, and other attributes like email, first name etc getting stored under user profile node in crxde? Can you keep the default group to "administrators" in Adobe Granite SAML 2.0 Authentication Handler config and verify the use case if you still see 404? In case you still see the error, please share the following:

 

 

 

Here is the sample saml response for reference:

 

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="http://vanegi-WX-1:4502/saml_login" ID="id165981227872087111522592179" InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

    <ds:SignedInfo>

      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

      <ds:Reference URI="#id165981227872087111522592179">

        <ds:Transforms>

          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

          </ds:Transform>

        </ds:Transforms>

        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

        <ds:DigestValue>VjO7jLPwV19OyXBGtw01P29ig0RxRm9xvoUCV0mW9Mk=</ds:DigestValue>

      </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>gSJ9UYgtfq6aQ2p7kTMDHC1JZQ1siNjB/kkZzppEvccNOFtcV3L5SlSekUzxTY3wVv6dSWyZB+D22LPlUraMG91eO4Sj0wP1lysGyYKcAMu020F3U3nuD78wpqvPu1Cd3gLpJoe2/cRErxmntvlEwbHaYcLL6JY3TZITzsKRBAecVNafD1ieYzPJ+NMw6qwC5zWL947S7SmBprEIFY0C1cPaLfR8/T7ti2jZvqkbszgfjFsaz5LjAIUbYez7MZn13MMXQ/h1ytjFW4pyvOF4m4hs5eT8L/t0cWoiz2tkwPtjO2OuZ5ZJ09Qs95r64r8DfU1PMgWZpKlKUI09N0gERg==</ds:SignatureValue>

    <ds:KeyInfo>

      <ds:X509Data>

        <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </ds:Signature>

  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

  </saml2p:Status>

  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id16598122787298689136258742" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:SignedInfo>

        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

        <ds:Reference URI="#id16598122787298689136258742">

          <ds:Transforms>

            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

            </ds:Transform>

          </ds:Transforms>

          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

          <ds:DigestValue>2dg20BJUERp3olxYBAv7JF2hOMfSN2PDnw70LR7mHFg=</ds:DigestValue>

        </ds:Reference>

      </ds:SignedInfo>

      <ds:SignatureValue>aOP9NZU8MQIXAh2uInduZmKITqn2Ya3ObQF63qnOhtUP++JK7tDTlDQyuzQKFiKmsr84yQRRZI7E1e6Q3ROENNGJ5daJbkA0QTJTU8SQTWpOZKcI9cFiwutMpCBDEpHdEzN2HBsbi0Q/kK0bKgiJROPOv7DXAVt/abYdJojUOpgInTkuua+ifxk6PcKfxpwbNEQk+NhNpQu5kXIUKdFhpRPVwY/kf8exZ1qUQsKbNvmeyhx+l1UBKJsDnP9iIKqgduLvC2/CuBZI9QkWDizvsUjBhLoxtdlWEwK9iPvfLIo2IkDEm1WCi1+8gBwXTLo71i5iFp/bpQRA8oYkcOoLwA==</ds:SignatureValue>

      <ds:KeyInfo>

        <ds:X509Data>

          <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </ds:Signature>

    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vanegi@adobe.com</saml2:NameID>

      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <saml2:SubjectConfirmationData InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" NotOnOrAfter="2019-03-03T03:44:33.109Z" Recipient="http://vanegi-WX-1:4502/saml_login"/>

      </saml2:SubjectConfirmation>

    </saml2:Subject>

    <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2019-03-03T03:34:33.109Z" NotOnOrAfter="2019-03-03T03:44:33.109Z">

      <saml2:AudienceRestriction>

        <saml2:Audience>http://vanegi-WX-1:4502/projects.html</saml2:Audience>

      </saml2:AudienceRestriction>

    </saml2:Conditions>

    <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2019-03-03T03:39:33.109Z" SessionIndex="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41">

      <saml2:AuthnContext>

        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

      </saml2:AuthnContext>

    </saml2:AuthnStatement>

    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi@adobe.com</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vaishali</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Negi</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="Department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Customer Experience</saml2:AttributeValue>

      </saml2:Attribute>

    </saml2:AttributeStatement>

  </saml2:Assertion>

</saml2p:Response>

 

 

Thanks!!