Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

After logging in IDP through SAML auth IDP POST to /saml_login URL returns 403 response

Avatar

Level 2

SAML Authentication configured by following this guide:

https://wttech.blog/blog/2019/how-to-setup-aem-publish-saml-authentication-using-okta

 

and after logging in IDP the POST request to configured URL returns unauthorized 403.

http://aem-publish-host/content/......./login.html

 

Dispatcher has a filter configured to allow POST request on given path 

/0053 { /type "allow" /method "POST" /url "*/login.html" } # allow post for SAML

 

What other options are there to investigate? 

Thanks

 

 

1 Accepted Solution

Avatar

Correct answer by
Level 2

andrija_sm_0-1678292719364.png

Thanks, I've added "Allow Empty" referrer according to the link you kindly provided. This cleared the 403 error.

However now - accessing login.html enters into a loop of constantly redirecting to sso/saml IDP login page.

There is nothing in SAML logs:

08.03.2023 15:40:22.581 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6,80376, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED

 

View solution in original post

4 Replies

Avatar

Level 2

Thanks Arun, for the quick reply. Unfortunately no new information on that resource.

Avatar

Community Advisor

The 403 issues can be triggered when the Referrer Filter rejects the request; you may need to configure the Referrer Filter based on the IDP configurations.

Refer to Exceptions/Issues while configuring SAML Authentication Handler - Adobe Experience Manager(AEM) (alb... for more details.

Regards

Albin

https://www.albinsblog.com

 

Avatar

Correct answer by
Level 2

andrija_sm_0-1678292719364.png

Thanks, I've added "Allow Empty" referrer according to the link you kindly provided. This cleared the 403 error.

However now - accessing login.html enters into a loop of constantly redirecting to sso/saml IDP login page.

There is nothing in SAML logs:

08.03.2023 15:40:22.581 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6,80376, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED