Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list

OSGi configuration deployed using package is not taking effect


Level 2

SAML OSGi configuration (com.adobe.granite.auth.saml.SamlAuthenticationHandler.config) that is deployed using package (e.g., is not taking effect. After each deployment, one needs to open the config manager, and just "save" the deployed configuration. Has anyone faced similar issues. Kindly share the resolution.


~~~~~~~~~~~~~~~~~~~~~~~~~   UPDATE ~~~~~~~~~~~~~~~~~~~~~~~~~~


@berliant , @sunjot16 , @Jaideep_Brar , @BrianKasingli , @aemmarc greatly appreciate your leads. I thought, I would update you about what I have tried today. The issue is not resolved but I have some information on what appears to be resolving the issue. When the ui.apps package is deployed, I get these two entries in the error.log:


19.05.2020 16:51:15.225 *INFO* [JcrInstaller.1] Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.ProductSearchServiceImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/, InstallableResource, priority=200, id=/apps/cms-commons/config/, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.CMSCommonsConfigurationImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/, InstallableResource, priority=200, id=/apps/cms-commons/config/, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.SiteSearchUrlConfigurationImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config, InstallableResource, priority=200, id=/apps/cms-commons/config/, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.TagRootPathServiceImpl, InstallableResource, priority=200, id=/apps/cms-commons/config/com.client.cms.commons.service.impl.APIConfigurationImpl]

19.05.2020 16:51:19.278 *INFO* [OsgiInstallerImpl] Installed configuration com.adobe.granite.auth.saml.SamlAuthenticationHandler from resource TaskResource(url=jcrinstall:/apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config, entity=config:com.adobe.granite.auth.saml.SamlAuthenticationHandler, state=INSTALL, attributes=[,], digest=a83b1f829c4410343b863230ebb7a9ed)


Clearly the JcrInstaller did it's job and installed the com.adobe.granite.auth.saml.SamlAuthenticationHandler

@Jaideep_Brar , I checked the status in http://<host>:<port>/system/console/osgi-installer and it is INSTALLED

I opened up the configuration in the config manager, and just re-saved. No configuration was changed. With that I have this entry in the error.log


19.05.2020 16:52:12.172 *INFO* [JcrInstaller.1] Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler.config]


The SSO started working after this step of re-saving. So it seems that the JcrInstaller, when invoked the first time (by the package deployment) lacked something that required re-registering the resource with OSGi installer. I parsed the error.log for errors after first registering, I could not find any.

@berliant , I tried with both names: com.adobe.granite.auth.saml.SamlAuthenticationHandler-myname.config and without myname, the behavior listed above remained same. So that can be ruled out.

@sunjot16 , thanks for the lead. It seems the configuration being deployed is correct as the re-saving is all that I am doing to make things work. What are your thoughts?

@aemmarc , I am not able to find the config in the /apps/system/config after re-saving. Since it was not manually created or touched, it probably was not saved into the /apps/system/config

@BrianKasingli , I had previously created it manually but that was long back deleted. So at the time of deployment, the /apps/system/config did not have any  com.adobe.granite.auth.saml.SamlAuthenticationHandler.config. Yeah, I can try with a blank AEM instance.


Topics help categorize Community content and increase your ability to discover relevant content.

14 Replies



How deep is the path to the config?  The JCR Installer ( by default only looks to a max depth of 4. 


Level 2
Hi aemmarc: my apologies, I probably did not understand the question. It seems that the JcrInstaller has been able to deploy the configuration successfully, as I can locate the deployed configuration in the config manager. The challenge is that the deployed SAML configuration does not take effect. Or in other words, after the deployment the navigating to the AEM https://myserver:4502/aem/start.html takes me to the AEM credentials page rather than authenticating me using the SSO. After I "just open the config, and save it", navigating to the link authenticates me on SSO. No login page is then shown. So seems like JcrInstaller did it's job but somehow the changes were not read by the AEM till I manually save the config


When you manually touch a config via ConfigMgr in the OSGI Felix Console it will create the config as a nt:file node under /apps/system/config . It's not touching the pre-existing sling:OsgiConfig node or config file. You can see which configuration is taking precedence here : http://<host>:<port>/system/console/osgi-installer.


Community Advisor


This might be because the OSGI configuration not set in the correct place. Can you please share the location of where these configurations live? Starting with /apps/my-project/config/*?


Level 2
The location does not seems to the issue as I am seeing the configuration is getting deployed to the right instance. Just that the configuration is not taking effect "unless I open the deployed configuration and save it manually". The path of the configuration is: /apps/<myproject>/


Community Advisor
Hmm, have you configured com.adobe.granite.auth.saml.SamlAuthenticationHandler.config.xml manually in the OSGI console? Check /apps/system/config for com.adobe.granite.auth.saml.SamlAuthenticationHandler.config, and delete this one. Try spinning up a new AEM instance with the correct run modes to test the content package.


Employee Advisor

The best way to know the root cause of this issue is to go to OSGI installer after you deploy the configuration and check the state of that config.


There might be conflict with other configurations Or the config file under crx-quickstart/launchpad/config/**** might not be owned by crx user.


[1] http://<host>:<port>/system/console/osgi-installer



It is recommended to create and maintain the configuration file by making actual changes in the web console.


The following doc may be helpful:


Hope it helps !!



Make sure that your SAML configuration name includes a unique suffix:



Community Advisor

Hi @aemcq5,

Can you confirm the node name that you have used for the OSGI config node(sling:OsgiConfig) is in the format - "PID-uniqueidentifier"

  • In this case PID of SAML Authentication handler is com.adobe.granite.auth.saml.SamlAuthenticationHandler and not com.adobe.granite.auth.saml.SamlAuthenticationHandler.config
  • Given that this is a factory config, we need to add an unique identifier (as we can have multiple instance for a factory config)
  • It should then be a node of
    • name -> com.adobe.granite.auth.saml.SamlAuthenticationHandler-xyzidentifier
    • type -> sling:OsgiConfig

Next steps:

  • Given that you have amended the config directly in web console, entry would be available in /apps/system/config. - You can delete the same
    • Format of entry that is created this way will be "PID.autogeneratedcharacters.config" -> it is a node of type nt:file
      • Where autogeneratedcharacters is for identifying it as unique instance of factory config
    • In case of normal OSGI service(not a factory), it will be of the format "PID.config" -> again a node of type nt:file
  • Create the config in above format(highlighted in green) and cross check in web console if an entry with identifier that you have created is available. 
  • Note : Try this in your immediate lower environment, Can take back up of an entry from /apps/system/config from the respective environment before deleting.



You need to make a correct SAML configuration package:

- use sling:OsgiConfig node

- name the node with unique PID /apps/cms-commons/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler-mysaml

- add all required configuration as properties (logoutURL in my sample)





Level 2
Thanks much @berliant: Yes, I am following all 3 points you have mentioned. My client's IDP does not offer logout, so "handleLogout=false" and "logoutUrl" is blank. There are quite a few other attributes, which are filled out correctly. What is baffling is that the "exactly same configuration" when re-saved makes the SSO redirection to "idpUrl" work



I managed to duplicate your issue myself. I found a configuration format that immediately turns IDP redirection:





Keep in mind, that after you deploy a package, you need to logout from AEM 



The ultimate experience is back.

Join us in Vegas to build skills, learn from the world's top brands, and be inspired.

Register Now