Configuring Multiple SAML configs in Publisher (audienceRestrictions violated error)

Avatar

Avatar

Antony6790

Avatar

Antony6790

Antony6790

25-03-2021

HI all,

 

We are configuring 2 SAML configs for 2 sites in publisher. One SAML config is for SiteMinder and other SAML config is for Ping Identity.

 

In each config, I have added content paths for each site, same ranking, updated IDP url's (SM and Ping IDP Url's) with separate Entity ID's, default redirect paths and ACS URL( ex: https://abc.com/saml_login, https://xyz.com/saml_login). 

 

SSO is not working for 1 site (goes infinite loop) if both SAML configs are enabled. I'm seeing below error in SAML trace. However if I disable one SAML config, then no issues with SSO login.

 

26.03.2021 04:08:37.400 *DEBUG* [qtp1786311869-8128] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

 

Any inputs to resolve this issue with multiple SAML configs?

 

Thanks.

 

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)

Avatar

Avatar

visa679

Avatar

visa679

visa679

07-04-2021

Issue resolved by providing host name (https://abc.com/) in the path field instead of content path.

Thanks.

Avatar

Avatar

jbrar

Employee

Avatar

jbrar

Employee

jbrar
Employee

29-03-2021

The issue seems to be with the Path and Assertion consumer URL:

 

if path: "/content/sitea" then //content/sitea/saml_login should be the ACS endpoint.

If the path: "/content/siteb" then /content/siteb/saml_login should be the ACS endpoint.