Hi All,
We are trying to integrate Ivanti SAML into AEM publisher. We are getting a 403 error in the saml_login path. (AEM 6.5.20, on-premise)
Added dispatcher rule also as per the below
I'm still getting the same response.
In dispatcher, we are getting below logs: Assuming the issue is something from publisher based on the below red colored.
The POC from localhost to Okta is successful.
Kindly help to get through this issue. I even tried enabling logs as per the Adobe docs, https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authentic... not getting any clues from here as well about the issue.
Thanks in advance!
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
Hi All,
Thanks for all your responses. We have successfully configured the SAML in a fresh publish instance and it is working fine.
I have followed
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-16873#:~:text=Issue%2F.... (Only if using dispatcher) change in the format of rule as below
/0091 { /type "allow" /method "POST" /url "*/saml_login" }
Configuring Apache Sling Authentication Service in config manager
Additionally, Adobe Granite Cross-Origin Resource Sharing Policy configuration.
Thanks
Hi @SibiMa ,
A 403 Forbidden error during SAML authentication typically indicates that the request is being blocked, either by the dispatcher or the AEM publisher itself. Since you've mentioned that you have configured the dispatcher rules according to Adobe's guidelines and are still encountering the issue, it's essential to troubleshoot both the dispatcher and the AEM publisher configurations.
Here are some steps to diagnose and potentially resolve the issue:
Check Dispatcher Filters:
/filter
{
...
/0004 { /type "allow" /url "/saml_login" }
...
}
Review Dispatcher Logs:
Check User Permissions:
Review SAML Configuration:
Enable Detailed Logging:
com.adobe.granite.auth.saml.SamlAuthenticationHandler
org.apache.sling.auth.core.impl.SlingAuthenticator
org.apache.jackrabbit.oak.security.authentication.token.TokenAuthentication
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule
Dispatcher Cache:
Network Configuration:
Validate Dispatcher Configuration Syntax:
Test Direct Access:
Temporary Disable Dispatcher:
Here's an example dispatcher configuration snippet that includes a rule to allow SAML login:
/cache
{
/rules
{
/0000
{
/glob "*"
/type "allow"
}
}
/invalidate
{
/0000
{
/glob "*"
}
}
/statfileslevel "0"
/allowAuthorized "0"
/rules
{
/0000
{
/glob "*"
/type "allow"
}
}
/headers
{
"CQ-Action-Scope"
}
/filter
{
/0000
{
/type "allow"
/url "/saml_login"
}
/0001
{
/type "deny"
/glob "*"
}
}
}
Ensure you replace this snippet appropriately into your existing configuration, respecting the overall structure.
If after following these steps, you still encounter the issue, consider providing additional logs or configuration snippets for a more detailed analysis.
Views
Replies
Total Likes
In order to troubleshoot SAML request, prefer to use SAML-tracer chrome plug in.
I am already using this plugin and the response from SAML seems fine.
Have you also whitelisted the URL which will be making the SAML post request in Sling Referrer Filter ? From the logs I see there is no referer entry for the POST request, which seems a bit strange.
You could cross check if the referer header is being denied somewhere in your configuration.
Hi @h_kataria We have configured the SAML on a fresh server, and it is working fine. The server from which I captured logs and posted has been there for 7+ years, and I think there are some rules that need to be revisited.
BTW, the Sling Referrer Filter was also configured, but still it didn't work.
Views
Replies
Total Likes
Hi All,
Thanks for all your responses. We have successfully configured the SAML in a fresh publish instance and it is working fine.
I have followed
https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-16873#:~:text=Issue%2F.... (Only if using dispatcher) change in the format of rule as below
/0091 { /type "allow" /method "POST" /url "*/saml_login" }
Configuring Apache Sling Authentication Service in config manager
Additionally, Adobe Granite Cross-Origin Resource Sharing Policy configuration.
Thanks