AEM SAML integration, added users to CRX repo after authentication

amitmsharma

Employee

15-10-2015

Hi, 

I am working on AEM 5.6 SAML integration and I have configured all the details as per wiki page. 

At present, I am getting redirected to IDP and after authentication I am getting reverted to AEM instance /saml_login url with proper SAML assestions but user is not getting created as per SAML component settings... 

How do I ensure that user gets created as per SAML response ?  Also, for redirection I have created saml_login (sling:Folder) node and SAMLResponse and RelayState are gettting modified but user is not getting created? 

Do I need to update any further settings or create customHandler to ensure that users are added and jcr session is created properly.

Below link contains SAMLResponse, SAML configuration & /saml_login page for reference. 

https://www.dropbox.com/sh/wgl04x6jy8wfl8w/AAD4fwlmPVVR3IVMKpFQhljya?dl=0

Any suggestions will be appreciated. Do let me know in case more details are required.

 

 

-Amit

 

 

 

  

Accepted Solutions (1)

Accepted Solutions (1)

Sham_HC

15-10-2015

You are almost there,

1)   Do not create saml_login node.  It is consumption point.

2)    Just make sure the path in saml handler ( /content/adobedemolab/en) match with receipt/destination from idp with saml_login appended.   i.e  At idp configure as /content/adobedemolab/en/saml_login

3)     Nameid format with saml response & configured in felix not matching.

Believe me infinite loop & saml configuration is natorious problem & you can't get corrected with single go especially with first time integration. I would advise to get official help through support request.

Answers (6)

Answers (6)

amitmsharma

Employee

15-10-2015

Hi Sham, 

I was working on SAML integration on AEM 6.1 and found that settings are bit different from what I have done in AEM 5.6 version. I have to add keys to authentication-services user to keystore and truststore, I have created one query for same at this link 

http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manage...

Now that I am done with changes and keys are detected properly, but I am getting signature lenth error in saml logs(below). 

03.04.2015 08:08:00.299 *DEBUG* [qtp1468301140-410] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid. 03.04.2015 08:08:00.299 *INFO* [qtp1468301140-410] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid. 03.04.2015 08:08:01.361 *ERROR* [qtp1468301140-413] com.adobe.granite.auth.saml.util.SamlReader Failed validating signature. javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 256 but was expecting 128

Is this something from IDP side or I have to make some changes in AEM configuration ? 

\Amit

amitmsharma

Employee

15-10-2015

Thanks Sham, the url on IDP side contained the extension on removing that I was successfully able to consume the response and authenticate the url. 

Couple of more queries related to issues I am facing now, 

1) Is it possible to add other properties from SAMLResponse apart from uid to crx users repo in AEM 5.6 ? I know this is possible with AEM 6 instance, but Are there any configration for same in AEM 5.6 instance? If yes, please share.

2) In case of AEM instance URL conntaining get params after "?" the redirect URL set in saml_request_path does not take ? into consideration and after redirect results in 404 page error. Eg below and check attached image. Is this something that can be fixed from AEM configuration or this issue need to be fixed on IDP side ?

For below case  

https://internal.adobedemo.com/content/adobedemolab/en/demos.htmlt?tags=properties/vision

redirect cookie is set to :

https://internal.adobedemo.com/content/adobedemolab/en/demos.htmltags=properties/vision

amitmsharma

Employee

15-10-2015

Sham HC wrote...

You are almost there,

1)   Do not create saml_login node.  It is consumption point.

2)    Just make sure the path in saml handler ( /content/adobedemolab/en) match with receipt/destination from idp with saml_login appended.   i.e  At idp configure as /content/adobedemolab/en/saml_login

3)     Nameid format with saml response & configured in felix not matching.

Believe me infinite loop & saml configuration is natorious problem & you can't get corrected with single go especially with first time integration. I would advise to get official help through support request.

 

 

 

 

Hi Sham, 

Thanks for revert can you explain what it mean with point 3, where I can configure this.

and I updated #2 to ensure that i received  /content/adobedemolab/ and  /content/adobedemolab/saml_login (receipt/destination) matches but then I get error as below ...

In case you have any idea into that ... 

Error while processing /content/adobedemolab/saml_login.html

                             
Status
500
Message
javax.jcr.RepositoryException: org.apache.sling.api.resource.PersistenceException: Resource at '/content/adobedemolab/saml_login.html' is not modifiable.
Location/content/adobedemolab/saml_login.html
Parent Location/content/adobedemolab
Path
/content/adobedemolab/saml_login.html
Refererhttps://adobe.okta.com/app/template_saml_2_0/k10lz748sOYBOOBRYOKO/sso/saml
ChangeLog
<pre></pre>

Go Back

Modified Resource

Parent of Modified Resource