Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list
SOLVED

After logging in IDP through SAML auth IDP POST to /saml_login URL returns 403 response

Avatar

Level 2

SAML Authentication configured by following this guide:

https://wttech.blog/blog/2019/how-to-setup-aem-publish-saml-authentication-using-okta

 

and after logging in IDP the POST request to configured URL returns unauthorized 403.

http://aem-publish-host/content/......./login.html

 

Dispatcher has a filter configured to allow POST request on given path 

/0053 { /type "allow" /method "POST" /url "*/login.html" } # allow post for SAML

 

What other options are there to investigate? 

Thanks

 

 

1 Accepted Solution

Avatar

Correct answer by
Level 2

andrija_sm_0-1678292719364.png

Thanks, I've added "Allow Empty" referrer according to the link you kindly provided. This cleared the 403 error.

However now - accessing login.html enters into a loop of constantly redirecting to sso/saml IDP login page.

There is nothing in SAML logs:

08.03.2023 15:40:22.581 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6,80376, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED

 

4 Replies

Avatar

Level 2

Thanks Arun, for the quick reply. Unfortunately no new information on that resource.

Avatar

Community Advisor

The 403 issues can be triggered when the Referrer Filter rejects the request; you may need to configure the Referrer Filter based on the IDP configurations.

Refer to Exceptions/Issues while configuring SAML Authentication Handler - Adobe Experience Manager(AEM) (alb... for more details.

Regards

Albin

https://www.albinsblog.com

 

Avatar

Correct answer by
Level 2

andrija_sm_0-1678292719364.png

Thanks, I've added "Allow Empty" referrer according to the link you kindly provided. This cleared the 403 error.

However now - accessing login.html enters into a loop of constantly redirecting to sso/saml IDP login page.

There is nothing in SAML logs:

08.03.2023 15:40:22.581 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.f94668b4-8ce0-483a-98d0-46025b2c2cd6,80376, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED