Hello All,
I am trying to implement saml integration on my local but gives invalid SAML token.
I am following this documentation: https://helpx.adobe.com/experience-manager/using/aem63_saml.html
I am using AEM 6.5.6 version
Here is my configuration:
I had tried to change the Service Provider Entity ID as AEMSAMLServiceaadi which is SPEntityId created on SSO Circle IdP as per documentation.
I had also tried to remove POST as suggested by one of the person in community but it doesn't work.
Here are my logs:
11.02.2021 14:57:34.957 *DEBUG* [qtp499816707-2364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid. 11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid. 11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token 11.02.2021 15:41:14.723 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8730, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent UNREGISTERING 11.02.2021 15:41:14.727 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8776, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED 11.02.2021 15:41:45.103 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature. 11.02.2021 15:41:45.108 *ERROR* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Unable to validate signature. javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512 at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565) [com.adobe.granite.auth.saml:1.0.24] at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [com.adobe.granite.auth.saml:1.0.24] at com.adobe.granite.auth.saml.util.SamlReader.verifyElementSignature(SamlReader.java:368) [com.adobe.granite.auth.saml:1.0.24] at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:241) [com.adobe.granite.auth.saml:1.0.24] at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:122) [com.adobe.granite.auth.saml:1.0.24] at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:109) [com.adobe.granite.auth.saml:1.0.24] at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:805) [com.adobe.granite.auth.saml:1.0.24] at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:499) [com.adobe.granite.auth.saml:1.0.24] at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76) [org.apache.sling.auth.core:1.4.2] at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.4.2] at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:735) [org.apache.sling.auth.core:1.4.2] at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483) [org.apache.sling.auth.core:1.4.2] at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460) [org.apache.sling.auth.core:1.4.2] at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:131) [org.apache.sling.engine:2.6.18] at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:82) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1002) [org.apache.felix.http.jetty:4.0.8] at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:326) [org.apache.sling.security:1.1.16] at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97) [org.apache.felix.http.sslfilter:1.2.6] at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1012) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91) [org.apache.felix.http.jetty:4.0.8] at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49) [org.apache.felix.http.jetty:4.0.8] at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) [org.apache.felix.http.servlet-api:1.1.2] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.Server.handle(Server.java:502) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [org.apache.felix.http.jetty:4.0.8] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [org.apache.felix.http.jetty:4.0.8] at java.lang.Thread.run(Thread.java:748) Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512 at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:211) at java.security.Signature$Delegate.engineVerify(Signature.java:1394) at java.security.Signature.verify(Signature.java:771) at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:238) [com.adobe.granite.auth.saml:1.0.24] at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:562) [com.adobe.granite.auth.saml:1.0.24] ... 55 common frames omitted 11.02.2021 15:41:45.109 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated. 11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid. 11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
Please let me know if I am missing anything. I tried to refer many community links but it is not resolved.
Thanks,
Adithya.
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @adithyaa6344757,
Service Provider Entity ID should be the one configured in IDP - SSOCircle.
In your case, it should be AEMSAMLServiceaadi instead of http://localhost:4502/saml_login in Service Provider Entity ID
Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)
Generally the "Service Provider Entity ID" should be the environment URL (Dev, UAT etc) , this URL should identify by the Service Provider (SAML)
is this SAML configuration working with Dev or any other environment URLs?
Issue is with key store try to reconfiguring it.
Step by step details here-
Thanks Ankur for the details. I followed the process according to the link that you had provided, it still says the same. I tried to re-configure the key store too.
4.02.2021 22:24:48.375 *DEBUG* [qtp1785193178-1799] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid. 14.02.2021 22:24:48.375 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid. 14.02.2021 22:24:48.376 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
Thanks,
Adithya.
Views
Replies
Total Likes
Hi @adithyaa6344757,
Service Provider Entity ID should be the one configured in IDP - SSOCircle.
In your case, it should be AEMSAMLServiceaadi instead of http://localhost:4502/saml_login in Service Provider Entity ID
Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies