We are configuring 2 SAML configs for 2 sites in publisher. One SAML config is for SiteMinder and other SAML config is for Ping Identity.
In each config, I have added content paths for each site, same ranking, updated IDP url's (SM and Ping IDP Url's) with separate Entity ID's, default redirect paths and ACS URL( ex: https://abc.com/saml_login, https://xyz.com/saml_login).
SSO is not working for 1 site (goes infinite loop) if both SAML configs are enabled. I'm seeing below error in SAML trace. However if I disable one SAML config, then no issues with SSO login.
26.03.2021 04:08:37.400 *DEBUG* [qtp1786311869-8128] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
Any inputs to resolve this issue with multiple SAML configs?
Refer the following link for a similar kind of implementation.
Issue resolved by providing host name (https://abc.com/) in the path field instead of content path.
The issue seems to be with the Path and Assertion consumer URL:
if path: "/content/sitea" then //content/sitea/saml_login should be the ACS endpoint.
If the path: "/content/siteb" then /content/siteb/saml_login should be the ACS endpoint.