Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.

OSGi configuration deployed using package is not taking effect

Avatar

Level 2

SAML OSGi configuration (com.adobe.granite.auth.saml.SamlAuthenticationHandler.config) that is deployed using package (e.g. config.author, config.dev) is not taking effect. After each deployment, one needs to open the config manager, and just "save" the deployed configuration. Has anyone faced similar issues. Kindly share the resolution.

 

~~~~~~~~~~~~~~~~~~~~~~~~~   UPDATE ~~~~~~~~~~~~~~~~~~~~~~~~~~

 

@berliant , @sunjot16 , @Jaideep_Brar , @BrianKasingli , @aemmarc greatly appreciate your leads. I thought, I would update you about what I have tried today. The issue is not resolved but I have some information on what appears to be resolving the issue. When the ui.apps package is deployed, I get these two entries in the error.log:

 

19.05.2020 16:51:15.225 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.ProductSearchServiceImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/org.apache.sling.commons.log.LogManager.factory.config-SAML, InstallableResource, priority=200, id=/apps/cms-commons/config/org.apache.sling.commons.log.LogManager.factory.config-cms-commons, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.CMSCommonsConfigurationImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/org.apache.sling.security.impl.ContentDispositionFilter.config, InstallableResource, priority=200, id=/apps/cms-commons/config/com.day.cq.commons.impl.ExternalizerImpl.config, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.SiteSearchUrlConfigurationImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config, InstallableResource, priority=200, id=/apps/cms-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-cms-commons, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.TagRootPathServiceImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.APIConfigurationImpl]

19.05.2020 16:51:19.278 *INFO* [OsgiInstallerImpl] org.apache.sling.audit.osgi.installer Installed configuration com.adobe.granite.auth.saml.SamlAuthenticationHandler from resource TaskResource(url=jcrinstall:/apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config, entity=config:com.adobe.granite.auth.saml.SamlAuthenticationHandler, state=INSTALL, attributes=[org.apache.sling.installer.api.tasks.ResourceTransformer=:31:, service.pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler], digest=a83b1f829c4410343b863230ebb7a9ed)

 

Clearly the JcrInstaller did it's job and installed the com.adobe.granite.auth.saml.SamlAuthenticationHandler

@Jaideep_Brar , I checked the status in http://<host>:<port>/system/console/osgi-installer and it is INSTALLED

I opened up the configuration in the config manager, and just re-saved. No configuration was changed. With that I have this entry in the error.log

 

19.05.2020 16:52:12.172 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config]

 

The SSO started working after this step of re-saving. So it seems that the JcrInstaller, when invoked the first time (by the package deployment) lacked something that required re-registering the resource with OSGi installer. I parsed the error.log for errors after first registering, I could not find any.

@berliant , I tried with both names: com.adobe.granite.auth.saml.SamlAuthenticationHandler-myname.config and without myname, the behavior listed above remained same. So that can be ruled out.

@sunjot16 , thanks for the lead. It seems the configuration being deployed is correct as the re-saving is all that I am doing to make things work. What are your thoughts?

@aemmarc , I am not able to find the config in the /apps/system/config after re-saving. Since it was not manually created or touched, it probably was not saved into the /apps/system/config

@BrianKasingli , I had previously created it manually but that was long back deleted. So at the time of deployment, the /apps/system/config did not have any  com.adobe.granite.auth.saml.SamlAuthenticationHandler.config. Yeah, I can try with a blank AEM instance.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

16 Replies

Avatar

Employee

How deep is the path to the config?  The JCR Installer (org.apache.sling.installer.provider.jcr.impl.JcrInstaller) by default only looks to a max depth of 4. 

Avatar

Level 2
Hi aemmarc: my apologies, I probably did not understand the question. It seems that the JcrInstaller has been able to deploy the configuration successfully, as I can locate the deployed configuration in the config manager. The challenge is that the deployed SAML configuration does not take effect. Or in other words, after the deployment the navigating to the AEM https://myserver:4502/aem/start.html takes me to the AEM credentials page rather than authenticating me using the SSO. After I "just open the config, and save it", navigating to the link authenticates me on SSO. No login page is then shown. So seems like JcrInstaller did it's job but somehow the changes were not read by the AEM till I manually save the config

Avatar

Employee
When you manually touch a config via ConfigMgr in the OSGI Felix Console it will create the config as a nt:file node under /apps/system/config . It's not touching the pre-existing sling:OsgiConfig node or config file. You can see which configuration is taking precedence here : http://<host>:<port>/system/console/osgi-installer.

Avatar

Community Advisor

@aemcq5,

This might be because the OSGI configuration not set in the correct place. Can you please share the location of where these configurations live? Starting with /apps/my-project/config/*?

Avatar

Level 2
The location does not seems to the issue as I am seeing the configuration is getting deployed to the right instance. Just that the configuration is not taking effect "unless I open the deployed configuration and save it manually". The path of the configuration is: /apps/<myproject>/config.prod.author/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config.xml

Avatar

Community Advisor
Hmm, have you configured com.adobe.granite.auth.saml.SamlAuthenticationHandler.config.xml manually in the OSGI console? Check /apps/system/config for com.adobe.granite.auth.saml.SamlAuthenticationHandler.config, and delete this one. Try spinning up a new AEM instance with the correct run modes to test the content package.

Avatar

Employee Advisor

The best way to know the root cause of this issue is to go to OSGI installer after you deploy the configuration and check the state of that config.

 

There might be conflict with other configurations Or the config file under crx-quickstart/launchpad/config/**** might not be owned by crx user.

 

[1] http://<host>:<port>/system/console/osgi-installer

Avatar

Employee

It is recommended to create and maintain the configuration file by making actual changes in the web console.

 

The following doc may be helpful:

https://docs.adobe.com/content/help/en/experience-manager-64/deploying/configuring/configuring-osgi....

 

Hope it helps !!

Avatar

Employee

Make sure that your SAML configuration name includes a unique suffix:

com.adobe.granite.auth.saml.SamlAuthenticationHandler-myname.config

Avatar

Community Advisor

Hi @aemcq5,

Can you confirm the node name that you have used for the OSGI config node(sling:OsgiConfig) is in the format - "PID-uniqueidentifier"

  • In this case PID of SAML Authentication handler is com.adobe.granite.auth.saml.SamlAuthenticationHandler and not com.adobe.granite.auth.saml.SamlAuthenticationHandler.config
  • Given that this is a factory config, we need to add an unique identifier (as we can have multiple instance for a factory config)
  • It should then be a node of
    • name -> com.adobe.granite.auth.saml.SamlAuthenticationHandler-xyzidentifier
    • type -> sling:OsgiConfig

Next steps:

  • Given that you have amended the config directly in web console, entry would be available in /apps/system/config. - You can delete the same
    • Format of entry that is created this way will be "PID.autogeneratedcharacters.config" -> it is a node of type nt:file
      • Where autogeneratedcharacters is for identifying it as unique instance of factory config
    • In case of normal OSGI service(not a factory), it will be of the format "PID.config" -> again a node of type nt:file
  • Create the config in above format(highlighted in green) and cross check in web console if an entry with identifier that you have created is available. 
  • Note : Try this in your immediate lower environment, Can take back up of an entry from /apps/system/config from the respective environment before deleting.

Avatar

Level 2

 

Updated the question with further details

 

Avatar

Employee

You need to make a correct SAML configuration package:

- use sling:OsgiConfig node

- name the node with unique PID /apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler-mysaml

- add all required configuration as properties (logoutURL in my sample)

 

berliant_0-1589980983467.png

 

Avatar

Level 2
Thanks much @berliant: Yes, I am following all 3 points you have mentioned. My client's IDP does not offer logout, so "handleLogout=false" and "logoutUrl" is blank. There are quite a few other attributes, which are filled out correctly. What is baffling is that the "exactly same configuration" when re-saved makes the SSO redirection to "idpUrl" work

Avatar

Level 2

Hi @Abhilasha_S, I do not recall that any solution was found for this. I had ended up saving the manual instructions for the admin (on how to configure the SAML/SSO in a news instance). Addition of the SAML configuration, anyway, required manual steps like uploading the IDM cert and referencing that in the SAML OSGi configuration.

Avatar

Employee

I managed to duplicate your issue myself. I found a configuration format that immediately turns IDP redirection:

 

/apps/saml/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler-mysaml.config

berliant_0-1590001097043.png

 

Keep in mind, that after you deploy a package, you need to logout from AEM