Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM 6.5 SAML Default User Group Login 404 Error

Avatar

Avatar
Validate 10
Level 3
jetate
Level 3

Likes

12 likes

Total Posts

69 posts

Correct Reply

5 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 10
Level 3
jetate
Level 3

Likes

12 likes

Total Posts

69 posts

Correct Reply

5 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 5
View profile
jetate
Level 3

03-08-2020

I have SAML set  up to create new users with a default access group on creation. When new users log in to the site, their user account is created but they hit a 404 error on page load. We have a CUG enabled on the top level site page for the default user group that the user is added to on first log in. If the user refreshes the page, it will load, but no matter what, users hit a 404 on first log in.

We had a similar setup with a different user group name on our old 6.3 instance and never had this issue.

Is there a change in the SAML handling between 6.3 and 6.5? What can we do or change to prevent hitting a 404 on first log in for new users beyond ensuring that the users are created in advance (not an option)?

SAML

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Springboard
MVP
Shashi_Mulugu
MVP

Likes

200 likes

Total Posts

264 posts

Correct Reply

64 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Applaud 100
Establish
View profile

Avatar
Springboard
MVP
Shashi_Mulugu
MVP

Likes

200 likes

Total Posts

264 posts

Correct Reply

64 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Applaud 100
Establish
View profile
Shashi_Mulugu
MVP

03-08-2020

@jetate can you check if the user is really getting created for the first time user loggedin(error case) and correct group is assigned? If yes can you also check if a valid session is created by seeing header/cookie in browser based on your setup.

Answers (3)

Answers (3)

Avatar

Avatar
Boost 5
Level 2
akhoury
Level 2

Likes

11 likes

Total Posts

15 posts

Correct Reply

5 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Applaud 5
View profile

Avatar
Boost 5
Level 2
akhoury
Level 2

Likes

11 likes

Total Posts

15 posts

Correct Reply

5 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Applaud 5
View profile
akhoury
Level 2

04-08-2020

The default group configuration still works the same between 6.3 and 6.5.  I would suggest to enable debug logging for com.adobe.granite.auth.saml and see if there is some error when it tries to add the user as a member of the default group.  Also, make sure you don't have any duplicate invalid SAML OSGi configs.

Avatar

Avatar
Establish
MVP
Nupur_Jain
MVP

Likes

165 likes

Total Posts

186 posts

Correct Reply

76 solutions
Top badges earned
Establish
Ignite 1
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Establish
MVP
Nupur_Jain
MVP

Likes

165 likes

Total Posts

186 posts

Correct Reply

76 solutions
Top badges earned
Establish
Ignite 1
Give Back 5
Give Back 3
Give Back 25
View profile
Nupur_Jain
MVP

04-08-2020

Hi @jetate 

 

Are you using multiple publishers and user sync is enabled between publishers? There might be the case that usr sync is taking some time to create new users on other publishers and the user is hitting the other publisher in first call. 

 

Check if the user sync is working properly as well the time it is taking to sync newly created user.

 

Hope it helps!

Thanks!

Nupur

Avatar

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

388 likes

Total Posts

377 posts

Correct Reply

147 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

388 likes

Total Posts

377 posts

Correct Reply

147 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
vanegi
Employee

04-08-2020

Hi @jetate,

Do you see "success" in saml response, and other attributes like email, first name etc getting stored under user profile node in crxde? Can you keep the default group to "administrators" in Adobe Granite SAML 2.0 Authentication Handler config and verify the use case if you still see 404? In case you still see the error, please share the following:

 

 

 

Here is the sample saml response for reference:

 

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="http://vanegi-WX-1:4502/saml_login" ID="id165981227872087111522592179" InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

    <ds:SignedInfo>

      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

      <ds:Reference URI="#id165981227872087111522592179">

        <ds:Transforms>

          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

          </ds:Transform>

        </ds:Transforms>

        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

        <ds:DigestValue>VjO7jLPwV19OyXBGtw01P29ig0RxRm9xvoUCV0mW9Mk=</ds:DigestValue>

      </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>gSJ9UYgtfq6aQ2p7kTMDHC1JZQ1siNjB/kkZzppEvccNOFtcV3L5SlSekUzxTY3wVv6dSWyZB+D22LPlUraMG91eO4Sj0wP1lysGyYKcAMu020F3U3nuD78wpqvPu1Cd3gLpJoe2/cRErxmntvlEwbHaYcLL6JY3TZITzsKRBAecVNafD1ieYzPJ+NMw6qwC5zWL947S7SmBprEIFY0C1cPaLfR8/T7ti2jZvqkbszgfjFsaz5LjAIUbYez7MZn13MMXQ/h1ytjFW4pyvOF4m4hs5eT8L/t0cWoiz2tkwPtjO2OuZ5ZJ09Qs95r64r8DfU1PMgWZpKlKUI09N0gERg==</ds:SignatureValue>

    <ds:KeyInfo>

      <ds:X509Data>

        <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </ds:Signature>

  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

  </saml2p:Status>

  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id16598122787298689136258742" IssueInstant="2019-03-03T03:39:33.109Z" Version="2.0">

    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1es6n2ol6aKuGu1d8</saml2:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:SignedInfo>

        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

        <ds:Reference URI="#id16598122787298689136258742">

          <ds:Transforms>

            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

            </ds:Transform>

          </ds:Transforms>

          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

          <ds:DigestValue>2dg20BJUERp3olxYBAv7JF2hOMfSN2PDnw70LR7mHFg=</ds:DigestValue>

        </ds:Reference>

      </ds:SignedInfo>

      <ds:SignatureValue>aOP9NZU8MQIXAh2uInduZmKITqn2Ya3ObQF63qnOhtUP++JK7tDTlDQyuzQKFiKmsr84yQRRZI7E1e6Q3ROENNGJ5daJbkA0QTJTU8SQTWpOZKcI9cFiwutMpCBDEpHdEzN2HBsbi0Q/kK0bKgiJROPOv7DXAVt/abYdJojUOpgInTkuua+ifxk6PcKfxpwbNEQk+NhNpQu5kXIUKdFhpRPVwY/kf8exZ1qUQsKbNvmeyhx+l1UBKJsDnP9iIKqgduLvC2/CuBZI9QkWDizvsUjBhLoxtdlWEwK9iPvfLIo2IkDEm1WCi1+8gBwXTLo71i5iFp/bpQRA8oYkcOoLwA==</ds:SignatureValue>

      <ds:KeyInfo>

        <ds:X509Data>

          <ds:X509Certificate>MIIDpjCCAo6gAwIBAgIGAV2m8CZSMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG

A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU

MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Fkb2JlLXN0YWdlMRwwGgYJKoZIhvcNAQkB

Fg1pbmZvQG9rdGEuY29tMB4XDTE3MDgwMzA3MTEyMloXDTI3MDgwMzA3MTIyMlowgZMxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYD

VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLYWRvYmUtc3RhZ2UxHDAa

BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQCfPXqsGvuZOr2qhAIK0x+tXGtaNOQw8VjqfTol+XDB+xZozvfTeUbMBDWyOKAK19D7XfpDXKH8

Sa/giauCK/98iEqbuRk1QdDyg8em+8j8GwIGwmVk8ephsc0YzbXIEUHe2gi0YpOz+f9cCdIppnP0

MDKv0yvc8NBRFljEfA+Zr7rndrECjInZsy575geZEViMXVaCnBy0slL0KQVbqjfWNd1vSIj4OBAo

xAriYU84sOO4/smayx+PfB1PvLRQJT1eIBzR6wPTICQ7TQCM1XMHon6mn2U5NIyx/Mx+XQY/I4DQ

xz7Z0lt6/DuDLBtsZli9GKW3KOKKep0NPEzSdbhVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABc4

TyHErFVGOersFLaZiSEkv2eTlKcoycXsMfu4vPBDTG1aGtBrkuKfav+RqM25fnytdqohz0o4ii9R

prNQCRHj1Og2ElqLkb204+ma8cjyAvR09UO0S9mp07qzMjDFF7DNuilfC9o/VoHeRXAZDN6cr6s+

NzeeXKPaD2VIFk0YeO5YUgRbrJHiJ6v2UaizUBvUwPAxMOsxUVNch26AvSCsbSJx3ehlpN/4lP3b

55bt9Lo+Zb6pet9shf24CSg60nTa7sOmYgT4bGsNvXW13po6YbfCcawbzSYXXP427ZP15tehRuR2

sRjnZdCwK13NYhkw5x/iGnt6fQ7STEgqwpY=</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </ds:Signature>

    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vanegi@adobe.com</saml2:NameID>

      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <saml2:SubjectConfirmationData InResponseTo="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41" NotOnOrAfter="2019-03-03T03:44:33.109Z" Recipient="http://vanegi-WX-1:4502/saml_login"/>

      </saml2:SubjectConfirmation>

    </saml2:Subject>

    <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2019-03-03T03:34:33.109Z" NotOnOrAfter="2019-03-03T03:44:33.109Z">

      <saml2:AudienceRestriction>

        <saml2:Audience>http://vanegi-WX-1:4502/projects.html</saml2:Audience>

      </saml2:AudienceRestriction>

    </saml2:Conditions>

    <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2019-03-03T03:39:33.109Z" SessionIndex="_854ba739-f4c4-44c0-bef2-b3cf0bcd1f41">

      <saml2:AuthnContext>

        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

      </saml2:AuthnContext>

    </saml2:AuthnStatement>

    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi@adobe.com</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vaishali</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Negi</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">vanegi</saml2:AttributeValue>

      </saml2:Attribute>

      <saml2:Attribute Name="Department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Customer Experience</saml2:AttributeValue>

      </saml2:Attribute>

    </saml2:AttributeStatement>

  </saml2:Assertion>

</saml2p:Response>

 

 

Thanks!!