Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

SAML AEM infinite loop

Avatar

Employee

Hi,

While configuring SAML on AEM I am getting below error in error.log. SAML logs are proper and do not have any error.
 
08.04.2015 10:48:13.902 *INFO* [qtp1468301140-454] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
08.04.2015 10:48:13.949 *ERROR* [qtp1468301140-454] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed

Any help.

\Amit

1 Accepted Solution

Avatar

Correct answer by
Level 10

Your config & response looks correct. I would always recommend to configure userid attribute even though it fall back to nameid.

For now seems like service ranking or different redirect url or case sensitive or same where request got flushed and causing the issue.  Can you try below and attach additional details

1)   configure defaultRedirectUrl in samlauthenticationHandler to  /content/gss-portal.html instead of /

2)       Enable debug for "com.adobe.granite.saml" and repeat the test case and attach if issue persist

*)   Latest logs

*)   Snapshot of http://host:port/system/console/slingauth

View solution in original post

9 Replies

Avatar

Employee

Please raise support ticket with proper information if the helpx link from bsloki is not helping.

Avatar

Employee

@bsloki

Thanks for quick revert. I have followed the link mentioned and saml logs are proper.

Avatar

Level 10

Attach saml response, config, and samlhandler debug logs.

Avatar

Level 10

I do not see any attachments.

Avatar

Employee

Hi Sham, 

Please find attached SAMLResponse & config, there are no logs in SAML, but I have error in error.log as shared above.

copying same for reference again

08.04.2015 10:48:13.902 *INFO* [qtp1468301140-454] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
08.04.2015 10:48:13.949 *ERROR* [qtp1468301140-454] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed

thanks for looking into this. 

Amit

Avatar

Employee
Elaborated error logs: 08.04.2015 16:23:57.373 *INFO* [127.0.0.1 [1428506637373] GET /content/gss-portal/en/na HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /content/gss-portal/en/na not found 08.04.2015 16:24:04.594 *ERROR* [qtp1468301140-517] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed 08.04.2015 16:24:05.531 *INFO* [127.0.0.1 [1428506645531] GET /etc/designs/gss-portal/provisioning-portal.css HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /etc/designs/gss-portal/provisioning-portal.css not found 08.04.2015 16:24:05.812 *INFO* [127.0.0.1 [1428506645812] GET /etc/designs/provisioning-portal/clientlibs/jquery-cookie.js HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /etc/designs/provisioning-portal/clientlibs/jquery-cookie.js not found 08.04.2015 16:24:06.328 *INFO* [127.0.0.1 [1428506646312] GET /content/gss-portal/en/na HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /content/gss-portal/en/na not found 08.04.2015 16:24:06.359 *ERROR* [qtp1468301140-524] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed 08.04.2015 16:24:06.544 *INFO* [127.0.0.1 [1428506646544] GET /etc/designs/provisioning-portal/favicon.ico HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /etc/designs/provisioning-portal/favicon.ico not found 08.04.2015 16:24:06.559 *INFO* [127.0.0.1 [1428506646544] GET /etc/designs/provisioning-portal/resources/javascripts/app.js HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /etc/designs/provisioning-portal/resources/javascripts/app.js not found 08.04.2015 16:24:06.809 *INFO* [127.0.0.1 [1428506646809] GET /etc/designs/provisioning-portal/favicon.ico HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /etc/designs/provisioning-portal/favicon.ico not found 08.04.2015 16:24:06.825 *ERROR* [127.0.0.1 [1428506646825] GET /etc/segmentation.segment.js HTTP/1.1] org.apache.sling.servlets.get.impl.DefaultGetServlet No renderer for extension js, cannot render resource JcrNodeResource, type=rep:ACL, superType=null, path=/etc/segmentation/aam/rep:policy 08.04.2015 16:24:06.825 *ERROR* [127.0.0.1 [1428506646825] GET /etc/segmentation.segment.js HTTP/1.1] org.apache.sling.servlets.get.impl.DefaultGetServlet No renderer for extension js, cannot render resource JcrNodeResource, type=rep:ACL, superType=null, path=/etc/segmentation/rep:policy 08.04.2015 16:24:07.450 *WARN* [127.0.0.1 [1428506647434] GET /etc/clientcontext/default/content/jcr:content/stores.init.js HTTP/1.1] com.adobe.cq.commerce.common.AbstractJcrCommerceSession Unable to extract locale from page /content/gss-portal/en/gss-portal, falling back to default locale en_US. 08.04.2015 16:24:08.169 *ERROR* [qtp1468301140-517] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed 08.04.2015 16:24:09.588 *ERROR* [qtp1468301140-525] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed 08.04.2015 16:24:11.088 *ERROR* [qtp1468301140-524] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed 08.04.2015 16:24:12.573 *ERROR* [qtp1468301140-522] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed 08.04.2015 16:24:14.088 *ERROR* [qtp1468301140-525] org.apache.sling.auth.core.impl.SlingAuthenticator doLogin: Cannot login: Response already committed

Avatar

Correct answer by
Level 10

Your config & response looks correct. I would always recommend to configure userid attribute even though it fall back to nameid.

For now seems like service ranking or different redirect url or case sensitive or same where request got flushed and causing the issue.  Can you try below and attach additional details

1)   configure defaultRedirectUrl in samlauthenticationHandler to  /content/gss-portal.html instead of /

2)       Enable debug for "com.adobe.granite.saml" and repeat the test case and attach if issue persist

*)   Latest logs

*)   Snapshot of http://host:port/system/console/slingauth

Avatar

Employee

Thanks Sham, I was able to fix this issue with modification to redirect URI and nameId attribute as you suggested.