Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

SAML authentication invalid SAML TOKEN

Avatar

Level 3

Hello All,

I am trying to implement saml integration on my local but gives invalid SAML token.

 

adithyaa6344757_1-1613108688850.png

 

I am following this documentation: https://helpx.adobe.com/experience-manager/using/aem63_saml.html

 

I am using AEM 6.5.6 version

 

Here is my configuration:

adithyaa6344757_2-1613108824107.png

adithyaa6344757_4-1613108883689.png

 

I had tried to change the Service Provider Entity ID as AEMSAMLServiceaadi which is SPEntityId  created on SSO Circle IdP as per documentation.

 

adithyaa6344757_5-1613109033704.png

I had also tried to remove POST as suggested by one of the person in community but it doesn't work.

 

Here are my logs:

 

11.02.2021 14:57:34.957 *DEBUG* [qtp499816707-2364] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.02.2021 14:57:34.957 *INFO* [qtp499816707-2364] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
11.02.2021 15:41:14.723 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8730, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent UNREGISTERING
11.02.2021 15:41:14.727 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459)] com.adobe.granite.auth.saml Service [com.adobe.granite.auth.saml.SamlAuthenticationHandler.e763ec3a-e683-4c0e-b2d6-63adf9536459,8776, [org.apache.sling.auth.core.spi.AuthenticationHandler]] ServiceEvent REGISTERED
11.02.2021 15:41:45.103 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
11.02.2021 15:41:45.108 *ERROR* [qtp499816707-2418] com.adobe.granite.auth.saml.util.SamlReader Unable to validate signature.
javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:565) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.verifyElementSignature(SamlReader.java:368) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.parse(SamlReader.java:241) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.util.SamlReader.read(SamlReader.java:122) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:109) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:805) [com.adobe.granite.auth.saml:1.0.24]
	at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:499) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:76) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:735) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:483) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460) [org.apache.sling.auth.core:1.4.2]
	at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:131) [org.apache.sling.engine:2.6.18]
	at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:82) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1002) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:326) [org.apache.sling.security:1.1.16]
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:97) [org.apache.felix.http.sslfilter:1.2.6]
	at org.apache.felix.http.base.internal.handler.PreprocessorHandler.handle(PreprocessorHandler.java:136) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager$2.doFilter(WhiteboardManager.java:1008) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1012) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91) [org.apache.felix.http.jetty:4.0.8]
	at org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49) [org.apache.felix.http.jetty:4.0.8]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) [org.apache.felix.http.servlet-api:1.1.2]
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.Server.handle(Server.java:502) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [org.apache.felix.http.jetty:4.0.8]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [org.apache.felix.http.jetty:4.0.8]
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
	at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:211)
	at java.security.Signature$Delegate.engineVerify(Signature.java:1394)
	at java.security.Signature.verify(Signature.java:771)
	at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:238) [com.adobe.granite.auth.saml:1.0.24]
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:562) [com.adobe.granite.auth.saml:1.0.24]
	... 55 common frames omitted
11.02.2021 15:41:45.109 *DEBUG* [qtp499816707-2418] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.02.2021 15:41:45.109 *INFO* [qtp499816707-2418] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

 

Please let me know if I am missing anything. I tried to refer many community links but it is not resolved.

 

Thanks,

Adithya.

 

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @adithyaa6344757,

Service Provider Entity ID should be the one configured in IDP - SSOCircle.

In your case, it should be AEMSAMLServiceaadi  instead of http://localhost:4502/saml_login in Service Provider Entity ID

Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)

View solution in original post

4 Replies

Avatar

Community Advisor

Generally the "Service Provider Entity ID" should be the environment URL (Dev, UAT etc) , this URL should identify by the Service Provider (SAML)

is this SAML configuration working with Dev or any other environment URLs?

Avatar

Level 3

Thanks Ankur for the details. I followed the process according to the link that you had provided, it still says the same. I tried to re-configure the key store too.

 

4.02.2021 22:24:48.375 *DEBUG* [qtp1785193178-1799] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
14.02.2021 22:24:48.375 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
14.02.2021 22:24:48.376 *INFO* [qtp1785193178-1799] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

adithyaa6344757_0-1613363491716.png

Thanks,
Adithya.

 

Avatar

Correct answer by
Community Advisor

Hi @adithyaa6344757,

Service Provider Entity ID should be the one configured in IDP - SSOCircle.

In your case, it should be AEMSAMLServiceaadi  instead of http://localhost:4502/saml_login in Service Provider Entity ID

Note : This value -http://localhost:4502/saml_login is to be used in Assertion Consumer URL(optional in the config)