Adobe Experience Manager Sites & More

maximilian_queh · 10/15/15

Hello,

I do my first steps with AEM (CQ5) and I have a problem with permissions. I authenticate with an external Identity- Provider and this Identity Provider does a redirect to AEM/CQ5 with all the SAML Attributes I need in AEM (NAME and ROLES of user)

But after the redirect from Identity Provider to AEM/CQ5 I get a HTTP 403 (Forbidden) and actually I dont know why - In my AEM Bundle the user is created with an UserManager- Object (I havn't written this bundle) and I suggest that if the roles which came with SAML- Response from Identity Provider are not existing in AEM/CQ5, than I get the Forbidden error.

I know that this is a very specific question - my question would be a generall one. How is it generally done in AEM/CQ5 with the users and roles. Are there first users created and than roles (with specific permissions) and afterwards roles are assigned to users or how is the general processing of the user/role handling.

Thanks a lot in advance and all the best.

Sham_HC · 10/15/15

Answer to you question:-

First user is created or updated
Then user is added into group
Note:- Permission is never assigned to group. You have to set manually by creating group well in advance OR assign permission after group is created.

Coming to original 403 looks interesting, following are situation [1] it can happen. If you are not encountering same please provide more information [2].

[1]

Referrer filter is not configured
SP2 not installed
Their might be matching user instead of group for the value of group returned from saml.

[2]

Saml response especially group attributes value
Enable debug for saml and attach the log files.
Snapshot of felix console saml config.

View solution in original post

michaelowenwang · 10/15/15

Hello,

Did you fix this problem? Any work around solution for saml authentication in AEM 6.0 sp1? I got the same problem as you.

Any suggestions are appreciate.

Sham_HC · 10/15/15

Answer to you question:-

First user is created or updated
Then user is added into group
Note:- Permission is never assigned to group. You have to set manually by creating group well in advance OR assign permission after group is created.

Coming to original 403 looks interesting, following are situation [1] it can happen. If you are not encountering same please provide more information [2].

[1]

Referrer filter is not configured
SP2 not installed
Their might be matching user instead of group for the value of group returned from saml.

[2]

Saml response especially group attributes value
Enable debug for saml and attach the log files.
Snapshot of felix console saml config.

maximilian_queh · 10/15/15

Thanks a lot for the response.

So here are the important log lines above. Actually I really don't know whats going wrong here. It would be great if someone would have any idea what I could do in order to solve this bad issue.

Thanks a lot !!

17.11.2014 13:50:45.360 *INFO* [172.20.6.15 [1416228645358] GET /saml_login HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /saml_login not found
17.11.2014 13:50:51.114 *INFO* [172.20.6.15 [1416228651057] POST /saml_login HTTP/1.1] org.apache.jackrabbit.core.persistence.bundle.AbstractBundlePersistenceManager cachename=crx.defaultBundleCache[ConcurrentCache@5a26ce82], elements=2216, usedmemorykb=8190, maxmemorykb=8192, access=214884, miss=20323
17.11.2014 13:50:51.121 *INFO* [172.20.6.15 [1416228651057] POST /saml_login HTTP/1.1] org.apache.jackrabbit.core.persistence.bundle.AbstractBundlePersistenceManager cachename=versionBundleCache[ConcurrentCache@c9a3475], elements=1559, usedmemorykb=1573, maxmemorykb=8192, access=24130, miss=1559
17.11.2014 13:50:51.227 *INFO* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.day.cq.wcm.core.impl.variants.PageVariantsProviderImpl Missing or empty cq:variantDomain property for site variant /content/geometrixx_mobile/jcr:content/cq:siteVariant; will generate relative links
17.11.2014 13:50:51.229 *INFO* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.day.cq.wcm.core.impl.variants.PageVariantsProviderImpl Missing or empty cq:variantDomain property for site variant /content/geometrixx/jcr:content/cq:siteVariant; will generate relative links
17.11.2014 13:50:51.236 *INFO* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.day.cq.wcm.core.impl.devicedetection.DeviceIdentificationModeImpl Found cq:deviceIdentificationMode property with value client-side on node /content/geometrixx for page /content/geometrixx/en
17.11.2014 13:50:51.245 *WARN* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.adobe.granite.security.user.internal.UserPropertiesServiceImpl Requested adapter type not supported: com.adobe.granite.security.user.UserProperties

And in the browser I get following response:

You don't have permission to access /content/geometrixx/en.html on this server.

Sham_HC · 10/15/15

Max Quehenberger wrote...

Thanks a lot for the response.

So here are the important log lines above. Actually I really don't know whats going wrong here. It would be great if someone would have any idea what I could do in order to solve this bad issue.

Thanks a lot !!

17.11.2014 13:50:45.360 *INFO* [172.20.6.15 [1416228645358] GET /saml_login HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /saml_login not found 17.11.2014 13:50:51.114 *INFO* [172.20.6.15 [1416228651057] POST /saml_login HTTP/1.1] org.apache.jackrabbit.core.persistence.bundle.AbstractBundlePersistenceManager cachename=crx.defaultBundleCache[ConcurrentCache@5a26ce82], elements=2216, usedmemorykb=8190, maxmemorykb=8192, access=214884, miss=20323 17.11.2014 13:50:51.121 *INFO* [172.20.6.15 [1416228651057] POST /saml_login HTTP/1.1] org.apache.jackrabbit.core.persistence.bundle.AbstractBundlePersistenceManager cachename=versionBundleCache[ConcurrentCache@c9a3475], elements=1559, usedmemorykb=1573, maxmemorykb=8192, access=24130, miss=1559 17.11.2014 13:50:51.227 *INFO* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.day.cq.wcm.core.impl.variants.PageVariantsProviderImpl Missing or empty cq:variantDomain property for site variant /content/geometrixx_mobile/jcr:content/cq:siteVariant; will generate relative links 17.11.2014 13:50:51.229 *INFO* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.day.cq.wcm.core.impl.variants.PageVariantsProviderImpl Missing or empty cq:variantDomain property for site variant /content/geometrixx/jcr:content/cq:siteVariant; will generate relative links 17.11.2014 13:50:51.236 *INFO* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.day.cq.wcm.core.impl.devicedetection.DeviceIdentificationModeImpl Found cq:deviceIdentificationMode property with value client-side on node /content/geometrixx for page /content/geometrixx/en 17.11.2014 13:50:51.245 *WARN* [172.20.6.15 [1416228651212] GET /content/geometrixx/en.html HTTP/1.1] com.adobe.granite.security.user.internal.UserPropertiesServiceImpl Requested adapter type not supported: com.adobe.granite.security.user.UserProperties

And in the browser I get following response:

You don't have permission to access /content/geometrixx/en.html on this server.

GET /saml_login indicates you have lost cookie some where in the tier you need to identify who is resetting & fix it. There is one scenario which happens & I doubt it applies to you based on your earlier description. As informed earlier in my post enable debug for "com.adobe.granite.auth.saml", send enabled output along with saml response. OR file a official support request.

michaelowenwang · 10/15/15

Hi Sham,

It seems like for AEM 6.0 sp1, it must provide group attribute in saml response from IDP side, right? if IDP doesn't configure the group attribute, it will get the HTTP 403 error in AEM, right? So that's why groupmembership attribute in AEM saml handler needed? How about using default group attribute instead of groupmembership attribute and leave it groupmembership blank?

Best Wishes

Owen Wang

Sham_HC · 10/15/15

HI Owen Wang,

group attribute is an optional but not mandatory. Generally it is passed. 403 is forbidden can happen if permission is restricted or any bug in product. Yes having default group attribute with correct group & without groupmembership will do.

Thanks,

SHam

tweet: adobe_sham

michaelowenwang · 10/15/15

Hi Sham,

You said permission is restricted, what permission? it is AEM permissions? how should we set the permission if users doesn't created in AEM automatically after IDP authenticated successfully? I set the default group attribute with correct group (contributor/administrators) and leave groupmemebership attribute blank, but still got the 403 error.

I can see some best practice articles posts in the internet for AEM saml handler which means it should be worked for AEM 6.0 sp1/CQ5.6, right? I checked every configuration they did, the only two difference is the groupmembership attribute and private key I didn't set while the post articles set these two boths. (private key is option in AEM saml handler).

Best Wishes

Owen Wang

Sham_HC · 10/15/15

Hi Oweb Wang,

Yes reffering to aem permissions.
To set the permissions automatically after user creation you need to use groupmemebership attribute Or defaultgroupmembership. As informed earlier if you are not sending groupmemebership attribute and configured defaultgroupmembership not getting assigned then it is a bug. AFAIK this should get fixed in upcoming SP2. File a daycare for further assistance.

THanks,

Sham

Twitter: @adobe_sham

Adobe Experience Manager Sites & More

Forbidden 403 Error

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe