Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

Facing issue in AEM 6.1 SAML SSO Integration

vikas_bhusri
Level 1
Level 1

Hi Experts,

I have done local setup of AEM 6.1 and Shibboleth IDP using this link "https://helpx.adobe.com/experience-manager/kb/saml-demo.html"

Environments are :: AEM 6.1, Shibboleth IDP 2.4.0, Tomcat (App server for IDP) 6.0.44, OpenDS (LDAP Server) -2.2.1

Keys Setup ::
I have created Private Key, Keystore, Certificate using this link "https://docs.adobe.com/docs/en/cq/5-6-1/deploying/replication/mssl-replication.html"
Using above link I created keys with SHA1 algorithm.
My IDP Certificate is of SHA256 algorith.

AEM SAML Configurations are ::::
I have used encryption and uploaded private keystore at this location 
"http://localhost:4502/libs/granite/security/content/userEditor.html/home/users/system/authentication..." and uploaded the idp certificate at user location 
"http://localhost:4502/libs/granite/security/content/userEditor.html/home/users/d/dCcq-v8EdurUGj9XSwS...".
The alias of these keys I have used in SAML Configuraion.

SAML Tracer log ::::
I am getting signed authentication request on SAML Tracer of firefox mozilla. 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.blogsaml.com:8443/idp/profile/SAML2/POST/SSO" ID="_2a7d6038-cbaf-49e3-b489-cb66ff31ae13" IssueInstant="2016-08-03T12:56:48Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.blogsaml.com</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_2a7d6038-cbaf-49e3-b489-cb66ff31ae13"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>upR6pq2j8RZjDfLbg3KMdQPwEWhNwC6NkJUeu1ZPins=</DigestValue> </Reference> </SignedInfo> <SignatureValue>--Signature Value--</SignatureValue> </Signature> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </samlp:AuthnRequest>

Service Provider(SP) Metadata on IDP Shibboleth ::::::

I have used this link "https://www.samltool.com/sp_metadata.php" to create SP Metadata.
and for values setup I have given following information ::
Entity Id -- https://www.blogsaml.com
Attribute Consume Service Endpoint (HTTP-POST) -- https://www.blogsaml.com:8443/idp/profile/SAML2/POST
NameId Format -- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
AuthnRequestsSigned - True
WantAssertionsSigned - True
SP X.509 cert (same cert for sign/encrypt) -- Added my SP Certicate

and final output of SAML Metadata is :::
*****************************************************************
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2016-08-05T12:55:02Z" cacheDuration="PT604800S" entityID="https://www.blogsaml.com">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>          <ds:X509Certificate>--Certificate Value--</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>          <ds:X509Certificate>--Certificate Value--</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.blogsaml.com:8443/idp/profile/SAML2/POST/SSO" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
***********************************************************

Using above configurations and metadata I am getting error on my Shibboleth :::::

 WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
    at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138) ~[opensaml-2.6.0.jar:na]
    at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107) ~[opensaml-2.6.0.jar:na]
    
I am not able to find the solution of this problem. It can be metadata issue or anything else that's why I have added the complete steps that I have followed to create this setup. Please help.

6 Replies
smacdonald2008
Level 10
Level 10

This doc was for AEM 5.6. I will search to see if we have an updated document. 

smacdonald2008
Level 10
Level 10

We got a reply:

By following the link at the bottom of https://helpx.adobe.com/experience-manager/kb/saml-demo.html to another page, it explains clearly, with a video!, how to setup SAML with 6.1, that’s what I did and quite a few community members successfully set it up as well.

vikas_bhusri
Level 1
Level 1

I have followed both link documentations

[0]http://www.aemstuff.com/blogs/july/saml.html

[1]https://docs.adobe.com/ddc/en/gems/saml-and-aem.html

The issue was in metadata and thanks for help. It worked finally.

Now, I am facing some other issue. I can login Shibboleth IDP and after successful authentication; request is moving to AEM with Url "http:/IP:4502/saml_login" which is giving "403 Forbidden" and Authentication Failed error.

vikas_bhusri
Level 1
Level 1

Hi Sham and Smac,

Thanks for your help. SAML is now working on our environment.

Sham_HC
Level 10
Level 10

Your supplied input to create metadata is wrong. Example:- consumption url should be of SP ending with saml_login of path configured.    Sounds you are taking some back route to do idp chaining rather than configuring what is required.    Also AFAIK both Consumption & Logout binding should be same. The tool you are using having different bindings which is not right.   IMO per saml spec keydescriptor use attribute is ommited & not sure why you need  to distinguish. AFAIK for integrity use idp public key & for encryption specifying only key attribute is sufficient. Attaching the copy of my setup.    Reaching to shiboleth idp forums would have been much appropriate. 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.blogsaml.com">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SPInfo">
        <ds:X509Data>
          <ds:X509Certificate>
<!-- Sp public key -->

         </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4502/saml_login" index="1"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4502/system/sling/logout" signing="true"/>

  </md:SPSSODescriptor>
</md:EntityDescriptor>