Expand my Community achievements bar.

Facing issue in AEM 6.1 SAML SSO Integration

Avatar

Level 1

Hi Experts,

I have done local setup of AEM 6.1 and Shibboleth IDP using this link "https://helpx.adobe.com/experience-manager/kb/saml-demo.html"

Environments are :: AEM 6.1, Shibboleth IDP 2.4.0, Tomcat (App server for IDP) 6.0.44, OpenDS (LDAP Server) -2.2.1

Keys Setup ::
I have created Private Key, Keystore, Certificate using this link "https://docs.adobe.com/docs/en/cq/5-6-1/deploying/replication/mssl-replication.html"
Using above link I created keys with SHA1 algorithm.
My IDP Certificate is of SHA256 algorith.

AEM SAML Configurations are ::::
I have used encryption and uploaded private keystore at this location 
"http://localhost:4502/libs/granite/security/content/userEditor.html/home/users/system/authentication..." and uploaded the idp certificate at user location 
"http://localhost:4502/libs/granite/security/content/userEditor.html/home/users/d/dCcq-v8EdurUGj9XSwS...".
The alias of these keys I have used in SAML Configuraion.

SAML Tracer log ::::
I am getting signed authentication request on SAML Tracer of firefox mozilla. 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.blogsaml.com:8443/idp/profile/SAML2/POST/SSO" ID="_2a7d6038-cbaf-49e3-b489-cb66ff31ae13" IssueInstant="2016-08-03T12:56:48Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.blogsaml.com</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_2a7d6038-cbaf-49e3-b489-cb66ff31ae13"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>upR6pq2j8RZjDfLbg3KMdQPwEWhNwC6NkJUeu1ZPins=</DigestValue> </Reference> </SignedInfo> <SignatureValue>--Signature Value--</SignatureValue> </Signature> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </samlp:AuthnRequest>

Service Provider(SP) Metadata on IDP Shibboleth ::::::

I have used this link "https://www.samltool.com/sp_metadata.php" to create SP Metadata.
and for values setup I have given following information ::
Entity Id -- https://www.blogsaml.com
Attribute Consume Service Endpoint (HTTP-POST) -- https://www.blogsaml.com:8443/idp/profile/SAML2/POST
NameId Format -- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
AuthnRequestsSigned - True
WantAssertionsSigned - True
SP X.509 cert (same cert for sign/encrypt) -- Added my SP Certicate

and final output of SAML Metadata is :::
*****************************************************************
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2016-08-05T12:55:02Z" cacheDuration="PT604800S" entityID="https://www.blogsaml.com">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>          <ds:X509Certificate>--Certificate Value--</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>          <ds:X509Certificate>--Certificate Value--</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.blogsaml.com:8443/idp/profile/SAML2/POST/SSO" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
***********************************************************

Using above configurations and metadata I am getting error on my Shibboleth :::::

 WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
    at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138) ~[opensaml-2.6.0.jar:na]
    at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107) ~[opensaml-2.6.0.jar:na]
    
I am not able to find the solution of this problem. It can be metadata issue or anything else that's why I have added the complete steps that I have followed to create this setup. Please help.

6 Replies

Avatar

Level 10

This doc was for AEM 5.6. I will search to see if we have an updated document. 

Avatar

Level 10

We got a reply:

By following the link at the bottom of https://helpx.adobe.com/experience-manager/kb/saml-demo.html to another page, it explains clearly, with a video!, how to setup SAML with 6.1, that’s what I did and quite a few community members successfully set it up as well.

Avatar

Level 1

I have followed both link documentations

[0]http://www.aemstuff.com/blogs/july/saml.html

[1]https://docs.adobe.com/ddc/en/gems/saml-and-aem.html

The issue was in metadata and thanks for help. It worked finally.

Now, I am facing some other issue. I can login Shibboleth IDP and after successful authentication; request is moving to AEM with Url "http:/IP:4502/saml_login" which is giving "403 Forbidden" and Authentication Failed error.

Avatar

Level 1

Hi Sham and Smac,

Thanks for your help. SAML is now working on our environment.

Avatar

Level 10

Your supplied input to create metadata is wrong. Example:- consumption url should be of SP ending with saml_login of path configured.    Sounds you are taking some back route to do idp chaining rather than configuring what is required.    Also AFAIK both Consumption & Logout binding should be same. The tool you are using having different bindings which is not right.   IMO per saml spec keydescriptor use attribute is ommited & not sure why you need  to distinguish. AFAIK for integrity use idp public key & for encryption specifying only key attribute is sufficient. Attaching the copy of my setup.    Reaching to shiboleth idp forums would have been much appropriate. 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.blogsaml.com">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SPInfo">
        <ds:X509Data>
          <ds:X509Certificate>
<!-- Sp public key -->

         </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4502/saml_login" index="1"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:4502/system/sling/logout" signing="true"/>

  </md:SPSSODescriptor>
</md:EntityDescriptor>