AEM Cloud. SAML configuration not working in Preview Tier | Community
Skip to main content
S
SaitoYoshio
Level 2
July 10, 2025
Solved

AEM Cloud. SAML configuration not working in Preview Tier

  • July 10, 2025
  • 4 replies
  • 1001 views

Hi All,

 

I'm configuring SAML 2.0 for Publish in AEM as a Cloud Service.

However, SAML is not working as expected in the Preview tier.

Where is the problem?

 

I am referring to the following documentation:

https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/authentication/saml-2-0

 

The Publish tier is working as expected.

After authenticating with the IdP, users are redirected to /saml_login on Publish:

publish-xxxx.adobeaemcloud.com/saml_login

During the saml_login process, a "login-token" cookie is issued, and users can then view the website.

 

On the Preview tier, users are also redirected to the IdP, and after authenticating, they are redirected to /saml_login on Preview:

preview-xxxx.adobeaemcloud.com/saml_login

However, no "login token" cookies are issued, and the user is redirected back to the IdP URL again.

/saml_login → IdP Login → /saml_login → IdP Login → (infinite loop)

 

• "login-token" cookie is not issued on the Preview tier.

• This results in an infinite loop.

Where is the problem?

 

To identify the cause, I tried changing several settings.

The difference between the Publish and Preview configurations is controlled by environment variables,

so I tried intentionally using an incorrect value for the Preview tier’s "idpCertAlias."

However, the result remained an infinite loop with no noticeable change.

Normally, if "idpCertAlias" is set to an incorrect value, an invalid_token error should occur.

 

This suggests that on the Preview tier, the certificate might not be referenced at all, leading to the infinite loop.

I followed the setup guide and steps to use Package Manager to replicate the global trust store to the Publish tier, but am I correct in assuming this applies to the Preview tier as well?

 

Thanks,

 

Saito.

Best answer by SaitoYoshio
The issue with this ticket has been resolved.

The root of the problem is that the IdP certificate installed on Author cannot be replicated to the Preview environment.

The guidance for setting up SAML describes the procedure for replicating with Package Manager, but this method only replicates to the Publish environment, so it is not possible to set up the Preview environment.


There seem to be two ways to replicate the /etc/truststore node to the Preview environment.

We were able to resolve the issue using the latter method, which uses the Distribution tool.

Method 1: Replicate to Preview with a custom workflow


・Set the parameter "agentId" to "preview".

・This setting allows you to replicate to the Preview environment.

Method 2: Replicate to Preview using the Distribution tool.
・Open Author > Tools > Deployment > Distribution.
・On the Distribution management screen, select Preview.
・Select the Distribute tab, select Action = Add node, Path Browser = /etc/truststore, and Submit.


Thank you for your cooperation.
Saito

4 replies

S
SwetaB
Level 4
July 11, 2025

Hi @saitoyoshio ,

 

I hope you are using keystorepassword property. If yes then specify “useEncryption” : false in your configuration. This solved it for me. Also can you check the saml logs. 

    S
    SaitoYoshioAuthor
    Level 2
    July 11, 2025

    @swetab 

    Thanks for Reply.

     

    The useEncryption property in the com.adobe.granite.auth.saml.SamlAuthenticationHandler~...cfg.json file is

    "useEncryption": false,

    S
    SaitoYoshioAuthor
    Level 2
    July 11, 2025

    Hi ALL

     

    In my case, SAML on the Publish tier is working fine.

    SAML on the Preview tier is not working.

    I think this is because the Trust Store is not applied to the Preview tier.

     

    I have written a new ticket.

    Please tell me the correct way to set up the SAML IdP Certificate File on the Publish Tier and Preview Tier.

    https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/i-want-to-know-how-to-set-up-the-saml-certificate-file-in-the/m-p/763889#M186202

     

    Thanks,

    Saito.

      S
      SaitoYoshioAuthor
      Level 2
      July 14, 2025
      Report on the current situation
      I deployed the .p12 file under /etc/truststore to the Preview Tier using the pipeline, but got a different error.
      (The infinite loop does not occur.)
       
      ERROR MESSAGE on Browser
      --------------
      Unexpected Error: Looks like we are having some issues with our service. We are working hard to bring it online again.
       --------------
       
      When I checked the error.log, I found the following output:
      --------------
      java.lang.SecurityException: javax.jcr.PathNotFoundException: keystorePassword not found on /etc/truststore
      --------------
       
      Thank you.
      Saito.
      Uppari_Ramesh
      Uppari_Ramesh
      Level 5
      July 11, 2025

      @saitoyoshio I had faced similar issue earlier,

      Basically Adobe created a SamlAuthenticationHandler custo ath handler and if you see code inside, you will be needed proper SAML response code from issuer. Whatever the response we got will validated against the installed cert. Just check your SAML response is proper or not. 

       

      1. Try reinstalling idp smal cert in trustore again and copy the new alias ID and paste in  osgi config. Use the cert which is issued to preview-xxxx.adobeaemcloud.com domain only but not publish.

      2. Also check if users are creating in AEM with Random uuids.

       

        S
        SaitoYoshioAuthor
        Level 2
        July 14, 2025

        hi @uppari_ramesh 

         

        Thank you for your reply.

         

        Publish and Preview register different certificate files, and the alias name refers to different files.

        The URL of the SAML response is also exclusive to Preview.

         

        > 2. Also check if users are creating in AEM with Random uuids.

        I don't understand what this means.

        When creating a user, do I need to create it with Random uuid?

         

        Thanks

        Saito.

        Uppari_Ramesh
        Uppari_Ramesh
        Level 5
        July 14, 2025

        Hi @saitoyoshio ,

        When I got the similar issues as yours, users were creating with uuids instead of user emails so just wanted to check. 

        Have you tried reinstalling the cert? Also share the exception you are getting in error log

         

        Thanks,

        Ramesh.

        S
        SaitoYoshioAuthorAccepted solution
        Level 2
        July 25, 2025
        The issue with this ticket has been resolved.

        The root of the problem is that the IdP certificate installed on Author cannot be replicated to the Preview environment.

        The guidance for setting up SAML describes the procedure for replicating with Package Manager, but this method only replicates to the Publish environment, so it is not possible to set up the Preview environment.


        There seem to be two ways to replicate the /etc/truststore node to the Preview environment.

        We were able to resolve the issue using the latter method, which uses the Distribution tool.

        Method 1: Replicate to Preview with a custom workflow


        ・Set the parameter "agentId" to "preview".

        ・This setting allows you to replicate to the Preview environment.

        Method 2: Replicate to Preview using the Distribution tool.
        ・Open Author > Tools > Deployment > Distribution.
        ・On the Distribution management screen, select Preview.
        ・Select the Distribute tab, select Action = Add node, Path Browser = /etc/truststore, and Submit.


        Thank you for your cooperation.
        Saito
        Terms & ConditionsAccessibility statement

        Loading footer...