Adobe Experience Manager Sites & More

Antony6790 · 3/25/21

HI all,

We are configuring 2 SAML configs for 2 sites in publisher. One SAML config is for SiteMinder and other SAML config is for Ping Identity.

In each config, I have added content paths for each site, same ranking, updated IDP url's (SM and Ping IDP Url's) with separate Entity ID's, default redirect paths and ACS URL( ex: https://abc.com/saml_login, https://xyz.com/saml_login).

SSO is not working for 1 site (goes infinite loop) if both SAML configs are enabled. I'm seeing below error in SAML trace. However if I disable one SAML config, then no issues with SSO login.

26.03.2021 04:08:37.400 *DEBUG* [qtp1786311869-8128] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

Any inputs to resolve this issue with multiple SAML configs?

Thanks.

Rohit_Utreja · 3/26/21

Hi @Antony6790,

Refer the following link for a similar kind of implementation.

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-configuration-for-mul...

View solution in original post

Rohit_Utreja · 3/26/21

Hi @Antony6790,

Refer the following link for a similar kind of implementation.

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-configuration-for-mul...

Jaideep_Brar · 3/29/21

The issue seems to be with the Path and Assertion consumer URL:

if path: "/content/sitea" then //content/sitea/saml_login should be the ACS endpoint.

If the path: "/content/siteb" then /content/siteb/saml_login should be the ACS endpoint.

Antony6790 · 3/29/21

Tried by with paths in ACS URL, but we are seeing infinite redirects with a 404 error for /content/siteA path ..

We have dispatcher rules for the site, if a request comes with /content/siteA path, it should translates this to /content/siteA/homepage.html. Not sure whether any dispatcher rules causing this infinite loop.

Thanks

Antony

visa679 · 4/7/21

Issue resolved by providing host name (https://abc.com/) in the path field instead of content path.

Thanks.

kautuk_sahni · 4/8/21

@visa679, Thank you for sharing the solution/fix with community. Great to have phenomenal SMEs like you. Looking forward to your more contribution in the AEM Community.

Adobe Experience Manager Sites & More

Configuring Multiple SAML configs in Publisher (audienceRestrictions violated error)

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe