Adobe Experience Manager Sites & More

Kanwaljit · 10/15/15

I am trying to configure saml authentication handler using - http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html

I have added the "idp_cert.binary" from the vendor to the administrator user too among other things

When I access the url protected with this handler, I am redirected to the sso logon page and then after succuessful login there, when the page comes back to aem, it just displays a message in browser - "saml authentication failed". In logs, the *WARN* message is "Private key of SP not provided: Cannot sign Authn request."

Any idea on what is missing

/Regards
Kanwal

Opkar_Gill · 10/15/15

Hi Kanwal,

in a previous version of AEM I know we ended up adding users to groups after they had logged in for the first time, or added them after they had been created. So manual intervention/administration was required, unlike LDAP.

Regards,

Opkar

View solution in original post

vijayanandvinju · 10/15/15

Hi Kanwaljit.. Double check SlingAuthenticator configuration in your publisher instance.

You may want to have the /apps/<projectname>/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config with below entries:

auth.sudo.cookie="sling.sudo"sling.auth.anonymous.user=""auth.annonymous=B"true"sling.auth.requirements=["+/<path to your secured sections of your site>"] auth.sudo.parameter="sudo"auth.http="preemptive"auth.uri.suffix=["/j_security_check"] auth.http.realm="Sling\ (Development)"sling.auth.anonymous.password=""

Opkar_Gill · 10/15/15

Hi Kanwal,

did you follow the section on managing cryptographic keys[1]. The keys are not stored under a user, but under "/etc/key/saml/"

How have you been uploading your keys?

Regards,

Opkar

[1] http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html#Managi...

Kanwaljit · 10/15/15

Hey Opkar,

First I followed the process from - www.aemstuff.com/blogs/july/saml.html

Add IdP public cert to AEM truststore

- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Select any user because TrustStore is global to AEM
- Create trust store by supplying the password & then manage trust store
- Upload the IdP certificate & make note of the certificate Alias
Add SP key and certificate chain to AEM keystore (authentication-service)
- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Select authentication-service
- Create KeyStore by supplying the password

Pls see the attached image that is showing the certificate. If this is not to be followed in AEM 6.1, do let me know

Also, since I am only using un-encrypted communication, Is this WARN message is worth looking at ?

=============

Then I used the curl command in the link you mentioned to upload the IDP certificate.

The thing is that now I am getting a saml packet back from idp(attached) but the error/warning is misleading me.

04.09.2015 16:00:14.701 *WARN* [qtp1338887913-216] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
04.09.2015 16:00:30.000 *INFO* [pool-7-thread-1] com.adobe.granite.taskmanagement.impl.jcr.TaskArchiveService archiving tasks at: 'Fri Sep 04 16:00:30 AEST 2015'
04.09.2015 16:00:31.021 *INFO* [qtp1338887913-228] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

Why would it treat it as anonymous ?

/Regards
Kanwal

Kanwaljit · 10/15/15

attaching saml reponse

Kanwaljit · 10/15/15

So, I made some progress.... I am getting an exception

com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied

Attachment has stack trace details

Any ideas ?

/Regards
Kanwal

Opkar_Gill · 10/15/15

Hi Kanwal,

I take it you selected the autocreate option for users in the SAML config?

Can you try it again and this time please manually create your user, then try it again.

Have you enabled the debug level logs for bundle "com.adobe.granite.auth.saml"?

Regards,

Opkar

Kanwaljit · 10/15/15

You basically nailed it Thanks...

But I still havent got the entire thing working...

I disabled the AutoCreate option and created the user in AEM and then try to login... All works fine.
I enabled the AutoCreate option. I disabled the "Add to Groups" checkbox - addGroupMembership. Then try to login... All works fine, user even gets created in AEM.
BUT the user always gets added to groups - administrators and everyone
I enabled the AutoCreate and I enabled the "Add to Groups" checkbox". Then try to login... I get the same repository exception again. And user is not created in AEM.

My use case is to be able to add user to custom groups. These groups will not be coming as part of request but will be known to me in advance. I.e static values. So, I don't want to use the "groupMembershipAttribute" but I need to use the "defaultGroups"

Any ideas please ?

One key thing I added ( without which, it NEVER works) - In the 'Path" field/attribute, I added the path "/saml_login" to list of allowed paths. It seems this is the path that request is being redirected to each time.

/Regards
Kanwal

Opkar_Gill · 10/15/15

Hi Kanwal,

in a previous version of AEM I know we ended up adding users to groups after they had logged in for the first time, or added them after they had been created. So manual intervention/administration was required, unlike LDAP.

Regards,

Opkar

karthickky2k4 · 2/4/16

Hi

Have tried the following steps and I am seeing the following error. Can some one help?

Add IdP public cert to AEM truststore
- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Select any user(admin) because TrustStore is global to AEM. Uncheck “Map certificate to user” and click submit
- Create trust store by supplying the password & then manage trust store
- Upload the IdP certificate & make note of the certificate Alias
Add SP key and certificate chain to AEM keystore (authentication-service)
- Go to: http://localhost:4502/libs/granite/security/content/useradmin.html
- Select authentication-service
- Create KeyStore by supplying the password
- If encrypting SAML assertions then go to manage KeyStore for uploading the private & public key
Configure the SAML authentication handler in the web console
- Go to: http://localhost:4502/system/console/configMgr
- Search for Adobe Granite SAML 2.0 Authentication Handler
- Add a new handler configuration and alias here should match with step1.

HTTP ERROR: 500

Problem accessing /saml_login. Reason:

com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store.

Powered by Jetty://

Thanks,

Karthik

Kanwaljit · 2/4/16

keep /saml_login in url list. This is a a fixed / hard-coded url that the saml request will come back to

/Kanwal

Tuhin_Ghosh · 3/10/16

Hi Kanwaljit,

We were also facing the same issue. Just do one thing keep everything checked in and in group names section add two groups, the first should be everyone and the second should be the custom group you want to add.

Thanks

Tuhin

Adobe Experience Manager Sites & More

saml authentication handler configuration

HTTP ERROR: 500

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe