AEM integration with Azure isn't working for group | Community
Skip to main content
H
helloosuman
Level 2
July 22, 2024
Solved

AEM integration with Azure isn't working for group

  • July 22, 2024
  • 3 replies
  • 1769 views

Our technology stack is : AEM 6.5 SP 17 / AEM Guides 4.3.1.5 / RHEL8/Java 11

We are migrating our SAML implementation from ping federate to Azure.

After integrating AEM with Microsoft Azure, AEM fails to load corresponding user group for logg-ed in user. Even if the group is added to the user using /useradmin page, group gets removed from the user during the next login. Here is the log

(when user sign-in next time, after group is added to the user)

********

10.07.2024 17:54:58.076 *INFO* [qtp1869806647-110143] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

10.07.2024 17:55:11.590 *INFO* [qtp1869806647-110495] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'abc@test.com' was removed from the group 'wild-west-group'

***************

Note that group 'wild-west-group' exists in AEM, ping federate & azure. Current AEM & ping integration works fine. 

However, while integrating AEM with azure getting above error. Also, authentication works fine. 

Followed below article for AEM - azure integration:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/adobeexperiencemanager-tutorial 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar

@arunpatidar as advised, I have tried with component adobe granite SAML 2.0 Authentication Handler attribute Group Membership value as groups or group also and component Apache Sling Referrer Filter attribute Filter Methods as POST, PUT, GET, DELETE. Still facing same issue. Please find attached doc with SAML response.


Hi @helloosuman 
Can you check the 

 

here the groups attribute name is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, so you may need to use same name in the config e.g.


groupMembership=http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
or

groupMembership=profile/attributes/http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

3 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
July 22, 2024

Hi @helloosuman 
Please check the users entitlements/group in Azure, 
AEM is trying to sync the Azure and AEM groups and thats why you are getting below info in logs

10.07.2024 17:55:11.590 *INFO* [qtp1869806647-110495] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'abc@test.com' was removed from the group 'wild-west-group'

Arun Patidar
    H
    helloosumanAuthor
    Level 2
    July 22, 2024

    @arunpatidar thank you so much for your prompt response. SAML response from azure with group details matches with AEM group already configured. (using SAML tracer ) Please see below:

    Also, note that I have <url>/system/console/configMgr component adobe granite SAML 2.0 Authentication Handler attribute Group Membership value as groups.
    Tried value as group too, but no luck.

     

      arunpatidar
      Community Advisor
      arunpatidarCommunity Advisor
      Community Advisor
      July 22, 2024

      Hi @helloosuman 
      I can't see wild-west-group in the groups in the SAML response.

      Arun Patidar
        H
        helloosumanAuthor
        Level 2
        July 23, 2024

        @arunpatidar thank you so much for looking into this issue. We have adobe platinum support for AEM products and created ticket for the above issue but, not getting resolution. enabled logging for saml with debug mode and here are the details:

        ****

        log when user log in first time:

        23.07.2024 08:51:45.520 *DEBUG* [HealthCheck SSL Configuration] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet The key store for user ssl-service was found and contains an entry under alias ssl-service
        23.07.2024 08:51:53.281 *DEBUG* [qtp106902488-14322] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
        23.07.2024 08:51:53.432 *DEBUG* [qtp106902488-14313] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
        23.07.2024 08:52:21.576 *DEBUG* [qtp106902488-14368] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [samlp:Response: null]. No signature.
        23.07.2024 08:52:45.597 *DEBUG* [HealthCheck SSL Configuration] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet The key store for user ssl-service was found and contains an entry under alias ssl-service

        ********

        when user re-login ,after user added to the group manually to AEM

        23.07.2024 08:55:14.296 *DEBUG* [qtp106902488-14369] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
        23.07.2024 08:55:14.424 *DEBUG* [qtp106902488-14379] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
        23.07.2024 08:55:34.166 *DEBUG* [qtp106902488-14379] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [samlp:Response: null]. No signature.
        23.07.2024 08:55:34.168 *INFO* [qtp106902488-14379] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'Suman.Saha@fmr.com' was removed from the group 'gRESTRICTED_APP_PWI_AWS_AEM_Tech'
        23.07.2024 08:55:45.615 *DEBUG* [HealthCheck SSL Configuration] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet The key store for user ssl-service was found and contains an entry under alias ssl-service

        ************

        stage log which works fine for same user(AEM ping federate integration)

         

        arunpatidar
        Community Advisor
        arunpatidarCommunity Advisor
        Community Advisor
        July 23, 2024

        Hi @helloosuman 
        It seems issue could be with certificate or trust store.

        The SP (in this case, the AEM instance) is unable to sign authentication requests due to the absence of a configured private key.

        Please check following threads as well
        https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-authentication-handler-configuration/m-p/169034

        https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-17476 

        https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/could-not-able-to-login-in-using-saml-authentication-handler-in/td-p/262670 

        https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-6-4-saml-integration-with-sso/m-p/388634 


        Can you make sure the trust store is created with valid certificates https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authenticationhandler

         

        and Osgi config for Adobe Granite SAML 2.0 Authentication Handler is configured correctly.

        Arun Patidar
          H
          helloosumanAuthor
          Level 2
          July 24, 2024

          @arunpatidar thank you very much for your response again. I don't think it's an authentication issue. If one compares stage(which works fine with ping federate) and dev log, stage log too throws same kind of error. My gut feeling is: 

          I'm missing some configuration attribute for Adobe Granite SAML 2.0 Authentication Handler but, not able to figure out which one. 

          Would you be able to review our Adobe Granite SAML 2.0 Authentication Handler and Apache Sling Referrer Filter if shared? 

          Terms & ConditionsAccessibility statement

          Loading footer...