Expand my Community achievements bar.

SOLVED

SAML authentication invalid SAML TOKEN

Avatar

Level 3

Hello All,

I am trying to implement saml integration on my local but gives invalid SAML token.

 

adithyaa6344757_1-1613108688850.png

 

I am following this documentation: https://helpx.adobe.com/experience-manager/using/aem63_saml.html

 

I am using AEM 6.5.6 version

 

Here is my configuration:

adithyaa6344757_2-1613108824107.png

adithyaa6344757_4-1613108883689.png

 

I had tried to change the Service Provider Entity ID as AEMSAMLServiceaadi which is SPEntityId  created on SSO Circle IdP as per documentation.

 

adithyaa6344757_5-1613109033704.png

I had also tried to remove POST as suggested by one of the person in community but it doesn't work.

 

Here are my logs:

 

11.02.2021 14:57:34.957 *DEBUG* [qtp499816707-2364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
11.02.2021 15:41:14.723 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8730, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent UNREGISTERING
11.02.2021 15:41:14.727 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8776, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED
11.02.2021 15:41:45.103 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
11.02.2021 15:41:45.108 *ERROR* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Unable to validate signature.
javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.verifyElementSignature(SamlReader.java:368) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:241) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:122) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:109) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:805) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:499) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:735) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:131) [org.apache.sling.engine:2.6.18]
	at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:82) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1002) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:326) [org.apache.sling.security:1.1.16]
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97) [org.apache.felix.http.sslfilter:1.2.6]
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1012) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49) [org.apache.felix.http.jetty:4.0.8]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) [org.apache.felix.http.servlet-api:1.1.2]
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.Server.handle(Server.java:502) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [org.apache.felix.http.jetty:4.0.8]
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
	at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:211)
	at java.security.Signature$Delegate.engineVerify(Signature.java:1394)
	at java.security.Signature.verify(Signature.java:771)
	at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:238) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:562) [com.adobe.granite.auth.saml:1.0.24]
	... 55 common frames omitted
11.02.2021 15:41:45.109 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

 

Please let me know if I am missing anything. I tried to refer many community links but it is not resolved.

 

Thanks,

Adithya.

 

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @adithyaa6344757,

Service Provider Entity ID should be the one configured in IDP - SSOCircle.

In your case, it should be AEMSAMLServiceaadi  instead of http://localhost:4502/saml_login in Service Provider Entity ID

Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)

View solution in original post

4 Replies

Avatar

Community Advisor

Generally the "Service Provider Entity ID" should be the environment URL (Dev, UAT etc) , this URL should identify by the Service Provider (SAML)

is this SAML configuration working with Dev or any other environment URLs?

Avatar

Level 3

Thanks Ankur for the details. I followed the process according to the link that you had provided, it still says the same. I tried to re-configure the key store too.

 

4.02.2021 22:24:48.375 *DEBUG* [qtp1785193178-1799] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
14.02.2021 22:24:48.375 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
14.02.2021 22:24:48.376 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

adithyaa6344757_0-1613363491716.png

Thanks,
Adithya.

 

Avatar

Correct answer by
Community Advisor

Hi @adithyaa6344757,

Service Provider Entity ID should be the one configured in IDP - SSOCircle.

In your case, it should be AEMSAMLServiceaadi  instead of http://localhost:4502/saml_login in Service Provider Entity ID

Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)