Adobe Experience Manager Sites & More

helloosuman · 7/21/24

Our technology stack is : AEM 6.5 SP 17 / AEM Guides 4.3.1.5 / RHEL8/Java 11

We are migrating our SAML implementation from ping federate to Azure.

After integrating AEM with Microsoft Azure, AEM fails to load corresponding user group for logg-ed in user. Even if the group is added to the user using /useradmin page, group gets removed from the user during the next login. Here is the log

(when user sign-in next time, after group is added to the user)

********

10.07.2024 17:54:58.076 *INFO* [qtp1869806647-110143] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

10.07.2024 17:55:11.590 *INFO* [qtp1869806647-110495] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'abc@test.com' was removed from the group 'wild-west-group'

***************

Note that group 'wild-west-group' exists in AEM, ping federate & azure. Current AEM & ping integration works fine.

However, while integrating AEM with azure getting above error. Also, authentication works fine.

Followed below article for AEM - azure integration:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/adobeexperiencemanager-tutorial

arunpatidar · 7/26/24

Hi @helloosuman
Can you check the

here the groups attribute name is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, so you may need to use same name in the config e.g.

groupMembership=http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
or

groupMembership=profile/attributes/http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Arun Patidar

View solution in original post

arunpatidar · 7/22/24

Hi @helloosuman
Please check the users entitlements/group in Azure,
AEM is trying to sync the Azure and AEM groups and thats why you are getting below info in logs

10.07.2024 17:55:11.590 *INFO* [qtp1869806647-110495] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'abc@test.com' was removed from the group 'wild-west-group'

Arun Patidar

helloosuman · 7/22/24

@arunpatidar thank you so much for your prompt response. SAML response from azure with group details matches with AEM group already configured. (using SAML tracer ) Please see below:

Also, note that I have <url>/system/console/configMgr component adobe granite SAML 2.0 Authentication Handler attribute Group Membership value as groups.
Tried value as group too, but no luck.

arunpatidar · 7/22/24

Hi @helloosuman
I can't see wild-west-group in the groups in the SAML response.

Arun Patidar

helloosuman · 7/22/24

@arunpatidar I made up that group name intially for compliance reason. Actual group name is gRESTRICTED_APP_PWI_AWS_AEM_Tech and it exists both in azure and AEM.

arunpatidar · 7/23/24

ahh ok then it should not be removing the group.

Can you try to enable debug log for saml handler to check more in granular level.

Arun Patidar

helloosuman · 7/23/24

@arunpatidar thank you so much for looking into this issue. We have adobe platinum support for AEM products and created ticket for the above issue but, not getting resolution. enabled logging for saml with debug mode and here are the details:

****

log when user log in first time:

23.07.2024 08:51:45.520 *DEBUG* [HealthCheck SSL Configuration] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet The key store for user ssl-service was found and contains an entry under alias ssl-service
23.07.2024 08:51:53.281 *DEBUG* [qtp106902488-14322] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
23.07.2024 08:51:53.432 *DEBUG* [qtp106902488-14313] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
23.07.2024 08:52:21.576 *DEBUG* [qtp106902488-14368] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [samlp:Response: null]. No signature.
23.07.2024 08:52:45.597 *DEBUG* [HealthCheck SSL Configuration] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet The key store for user ssl-service was found and contains an entry under alias ssl-service

********

when user re-login ,after user added to the group manually to AEM

23.07.2024 08:55:14.296 *DEBUG* [qtp106902488-14369] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
23.07.2024 08:55:14.424 *DEBUG* [qtp106902488-14379] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
23.07.2024 08:55:34.166 *DEBUG* [qtp106902488-14379] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [samlp:Response: null]. No signature.
23.07.2024 08:55:34.168 *INFO* [qtp106902488-14379] com.adobe.granite.security.user.internal.audit.AuditGroupAction User 'Suman.Saha@fmr.com' was removed from the group 'gRESTRICTED_APP_PWI_AWS_AEM_Tech'
23.07.2024 08:55:45.615 *DEBUG* [HealthCheck SSL Configuration] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet The key store for user ssl-service was found and contains an entry under alias ssl-service

************

stage log which works fine for same user(AEM ping federate integration)

arunpatidar · 7/23/24

Hi @helloosuman
It seems issue could be with certificate or trust store.

The SP (in this case, the AEM instance) is unable to sign authentication requests due to the absence of a configured private key.

Please check following threads as well
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-authentication-handle...

https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-17476

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/could-not-able-to-login-in...

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-6-4-saml-integration-w...

Can you make sure the trust store is created with valid certificates https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authentic...

and Osgi config for Adobe Granite SAML 2.0 Authentication Handler is configured correctly.

Arun Patidar

helloosuman · 7/24/24

@arunpatidar thank you very much for your response again. I don't think it's an authentication issue. If one compares stage(which works fine with ping federate) and dev log, stage log too throws same kind of error. My gut feeling is:

I'm missing some configuration attribute for Adobe Granite SAML 2.0 Authentication Handler but, not able to figure out which one.

Would you be able to review our Adobe Granite SAML 2.0 Authentication Handler and Apache Sling Referrer Filter if shared?

arunpatidar · 7/24/24

Hi @helloosuman
Sure, you can either share here or DM me.

Arun Patidar

helloosuman · 7/24/24

@arunpatidar please see attached

arunpatidar · 7/25/24

Hi @helloosuman
Can you check 2 things and compare with stage.

1. group membership in SAML config, in your SAML response I can't see group attribute. can you compare the config as well as SAML response

2. check the Sling referral filter, if need POST method , again compare with Stage.

Arun Patidar

helloosuman · 7/26/24

@arunpatidar as advised, I have tried with component adobe granite SAML 2.0 Authentication Handler attribute Group Membership value as groups or group also and component Apache Sling Referrer Filter attribute Filter Methods as POST, PUT, GET, DELETE. Still facing same issue. Please find attached doc with SAML response.