Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

SAML error when trying to login in Author Instance

Avatar

Avatar
Validate 10
Level 3
sunitac2231600
Level 3

Likes

4 likes

Total Posts

90 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 10
View profile

Avatar
Validate 10
Level 3
sunitac2231600
Level 3

Likes

4 likes

Total Posts

90 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 10
View profile
sunitac2231600
Level 3

22-08-2016

Dear Team,

When I am trying to login to our Dev environment through SSO , then I am getting below error, as shown in below screenshot.

Also I am getting below error message in the below error.log file.

22.08.2016 19:45:45.254 *ERROR* [qtp1938287629-27055] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML response parameter was not provided or invalid.
22.08.2016 19:45:45.255 *INFO* [qtp1938287629-27055] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
22.08.2016 19:45:45.255 *WARN* [qtp1938287629-27055] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
22.08.2016 19:45:46.687 *ERROR* [qtp1938287629-26657] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML response parameter was not provided or invalid.
22.08.2016 19:45:46.693 *INFO* [10.100.3.45 [1471887946691] GET /saml_login HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /saml_login not found
22.08.2016 19:45:46.694 *INFO* [10.100.3.45 [1471887946691] GET /saml_login HTTP/1.1] com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl ACS AEM Commons Error Page Handler is enabled but mis-configured. A valid error image handler nor a valid error page could be found.
22.08.2016 19:45:52.223 *INFO* [pool-9-thread-2] com.day.cq.replication.Agent.publish1euwest1_reverse Sending GET request to 

We have configured the SAML in /etc/key , as shown in below screenshot.

Also we have observed we are getting 2 SAML in OSGI Configuration , as showm in below screenshot.

Please Suggest.

Thanks !!!

Replies

Avatar

Avatar
Give Back 5
Level 2
andrewj40704587
Level 2

Likes

6 likes

Total Posts

29 posts

Correct Reply

2 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back
Ignite 1
Validate 1
View profile

Avatar
Give Back 5
Level 2
andrewj40704587
Level 2

Likes

6 likes

Total Posts

29 posts

Correct Reply

2 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back
Ignite 1
Validate 1
View profile
andrewj40704587
Level 2

22-08-2016

Was this a new configuration, or has it worked before? If you click on one of the osgi configs and view the options, is there something not specified that should be?

Avatar

Avatar
Validate 1
Level 5
Tuhin_Ghosh
Level 5

Likes

36 likes

Total Posts

301 posts

Correct Reply

40 solutions
Top badges earned
Validate 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Validate 1
Level 5
Tuhin_Ghosh
Level 5

Likes

36 likes

Total Posts

301 posts

Correct Reply

40 solutions
Top badges earned
Validate 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile
Tuhin_Ghosh
Level 5

22-08-2016

Seeing your error log I can say that AEM is trying to connect anonymously which is not allowed for author instance. Here is one article which discusses about sling authentication both authenticated and anonymous login.

http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html 

Avatar

Avatar
Validate 10
Level 4
Var
Level 4

Likes

44 likes

Total Posts

113 posts

Correct Reply

5 solutions
Top badges earned
Validate 10
Validate 1
Boost 5
Boost 3
Boost 25
View profile

Avatar
Validate 10
Level 4
Var
Level 4

Likes

44 likes

Total Posts

113 posts

Correct Reply

5 solutions
Top badges earned
Validate 10
Validate 1
Boost 5
Boost 3
Boost 25
View profile
Var
Level 4

23-08-2016

Which version of the AEM instance you are trying to do this one.?

Can you provide the screenshot of your SAML configurations that you have done.?

Also can you try removing the sling referrer filter "POST" and save the configurations. and the user which you are authenticated via the IDP are available in AEM, If so does those users have required permissions.?

Regards,

VAr

Avatar

Avatar
Validate 10
Level 3
sunitac2231600
Level 3

Likes

4 likes

Total Posts

90 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 10
View profile

Avatar
Validate 10
Level 3
sunitac2231600
Level 3

Likes

4 likes

Total Posts

90 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 10
View profile
sunitac2231600
Level 3

24-08-2016

Dear All,

This SAML was working fine before. But now Its not working. We need the Root Cause for this.

We are using AEM 6.1

Yes , I tried removing the sling referrer filter "POST" and save the configurations but it did not work out.

Also the user which I am trying to authenticate via the IDP are available in AEM, and yes those users have already required permissions.

Please find the below screenshot for our SAML configuration.

Avatar

Avatar
Validate 1
Employee
Opkar_Gill
Employee

Likes

138 likes

Total Posts

952 posts

Correct Reply

280 solutions
Top badges earned
Validate 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Validate 1
Employee
Opkar_Gill
Employee

Likes

138 likes

Total Posts

952 posts

Correct Reply

280 solutions
Top badges earned
Validate 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile
Opkar_Gill
Employee

24-08-2016

Hi,

when you say it was working before what do you mean, it recently stopped working or it was working in a previous version of AEM. 

You don't use /etc/key anymore, please follow [0].

The screenshot you have shared for the SAML configuration doesn't appear to be correct,

  • you have not configured the IDP Certificate Alias, 
  • Your "Service Provider Entity ID" should typically be your AEM server with "saml_login" at the end

The above means you did not follow [0]. The docs for setting up same in 6.1 are incorrect, so if you were not aware of [0], it won't work...

Regards,

Opkar

[0]http://www.aemstuff.com/blogs/july/saml.html