SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token | Community
Skip to main content
K
kumamanish
Level 2
September 15, 2022

SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

  • September 15, 2022
  • 3 replies
  • 1973 views

Hi,

 

I always get below error message,

 

 

IDP- Keycloak ( http://localhost:8180/auth/realms/aem)

IDP Client - aem-app

 

SP - AEM(http://localhost:4502)

SP-SAML-CONFIG - Authentication Handler 

 

Logs:

- saml.log:-

--------------

15.09.2022 11:57:38.092 *DEBUG* [qtp2135073923-4803] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:23.949 *DEBUG* [qtp2135073923-4805] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [saml:Assertion: null]. No signature.
15.09.2022 11:58:23.949 *DEBUG* [qtp2135073923-4805] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1663223363949,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Asia/Calcutta",offset=19800000,dstSavings=0,useDaylight=false,transitions=7,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2022,MONTH=8,WEEK_OF_YEAR=38,WEEK_OF_MONTH=3,DAY_OF_MONTH=15,DAY_OF_YEAR=258,DAY_OF_WEEK=5,DAY_OF_WEEK_IN_MONTH=3,AM_PM=0,HOUR=11,HOUR_OF_DAY=11,MINUTE=59,SECOND=23,MILLISECOND=949,ZONE_OFFSET=19800000,DST_OFFSET=0] >= java.util.GregorianCalendar[time=1663223353897,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2022,MONTH=8,WEEK_OF_YEAR=38,WEEK_OF_MONTH=3,DAY_OF_MONTH=15,DAY_OF_YEAR=258,DAY_OF_WEEK=5,DAY_OF_WEEK_IN_MONTH=3,AM_PM=0,HOUR=6,HOUR_OF_DAY=6,MINUTE=29,SECOND=13,MILLISECOND=897,ZONE_OFFSET=0,DST_OFFSET=0]).
15.09.2022 11:58:23.949 *INFO* [qtp2135073923-4805] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
15.09.2022 11:58:23.950 *INFO* [qtp2135073923-4805] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
15.09.2022 11:58:24.074 *DEBUG* [qtp2135073923-4789] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.076 *DEBUG* [qtp2135073923-4758] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.103 *DEBUG* [qtp2135073923-4795] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.103 *DEBUG* [qtp2135073923-4804] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

 

I have generated keystore and uploaded at global truestore, same generated alias mapped with authentication handler.

 

Not able to resolve issue, any help will be apprecaited. 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

3 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
September 15, 2022

Please check

https://blogs.perficient.com/2019/06/24/simple-local-saml-integration-with-aem-gotchas/ 

https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-17481.html?lang=en 

Arun Patidar
    K
    kumamanishAuthor
    Level 2
    September 15, 2022

    Hi @arunpatidar ,

     

    Since my idp is keycloak so won't go through second link https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-17481.html?lang=en  for SSOCircle, however I tried with all suggestions which are inside first link https://blogs.perficient.com/2019/06/24/simple-local-saml-integration-with-aem-gotchas/ but still no luck, getting below error in saml.log

    15.09.2022 17:57:53.162 *DEBUG* [qtp2135073923-5095] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
    15.09.2022 17:57:56.458 *DEBUG* [qtp2135073923-5203] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [saml:Assertion: null]. No signature.
    15.09.2022 17:57:56.459 *DEBUG* [qtp2135073923-5203] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated:
    15.09.2022 17:57:56.459 *INFO* [qtp2135073923-5203] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
    15.09.2022 17:57:56.459 *INFO* [qtp2135073923-5203] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
    15.09.2022 17:57:56.610 *DEBUG* [qtp2135073923-5095] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

      A_H_M_Imrul
      Community Advisor
      A_H_M_ImrulCommunity Advisor
      Community Advisor
      December 10, 2023

      @kumamanish 

      I know it's really late to answer this question. But I think it still makes sense to address this, considering the fact that the solution is not yet found. You can follow the below steps for further troubleshooting:

      - Since SamlAuthenticationHandler is complaining about the private key of SP, I would suggest recreating and reuploading the certificate by following exactly the same steps explained here: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/saml-2-0-authenticationhandler.html?lang=en#add-the-service-provider-key-and-certificate-chain-to-the-aem-keystore (but honestly I think you don't even need that as you are not using encryption, so better remove the spPrivateKeyAlias)

      - I think the key here is the message: SAML Token Invalid with notOnOrAfter violated. The Saml token which refers to content inside the tag: <samlp:Response></samlp:Response>, it has a validity which is called Assertion Lifespan. I would suggest you check it in the Keycloak dashboard and put a longer (5 or 10 minutes) lifespan.

      You can find it in Keycloak: Client -> Client Details -> Advanced (tab) -> Advanced Settings -> Assertion Lifespan. 

      See if this changes anything. 

      For a complete reference: https://medium.com/@imrul001/comprehensive-guide-setting-up-saml-sso-between-keycloak-and-aem-0b134cdaac58

          

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        November 25, 2024

        @kumamanish Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

        Kautuk Sahni
        Terms & ConditionsAccessibility statement

        Loading footer...