Expand my Community achievements bar.

Adobe Summit 2025: AEM Session Recordings Are Live! Missed a session or want to revisit your favorites? Watch the latest recordings now.
Watch Now!

SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

Avatar

Level 2
Level 2
9/14/22 11:43:20 PM

Hi,

 

I always get below error message,

 

kumamanish_0-1663223461483.png

 

IDP- Keycloak ( http://localhost:8180/auth/realms/aem)

IDP Client - aem-app

 

SP - AEM(http://localhost:4502)

SP-SAML-CONFIG - Authentication Handler 

kumamanish_1-1663223688068.png

 

Logs:

- saml.log:-

--------------

15.09.2022 11:57:38.092 *DEBUG* [qtp2135073923-4803] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:23.949 *DEBUG* [qtp2135073923-4805] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [saml:Assertion: null]. No signature.
15.09.2022 11:58:23.949 *DEBUG* [qtp2135073923-4805] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1663223363949,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Asia/Calcutta",offset=19800000,dstSavings=0,useDaylight=false,transitions=7,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2022,MONTH=8,WEEK_OF_YEAR=38,WEEK_OF_MONTH=3,DAY_OF_MONTH=15,DAY_OF_YEAR=258,DAY_OF_WEEK=5,DAY_OF_WEEK_IN_MONTH=3,AM_PM=0,HOUR=11,HOUR_OF_DAY=11,MINUTE=59,SECOND=23,MILLISECOND=949,ZONE_OFFSET=19800000,DST_OFFSET=0] >= java.util.GregorianCalendar[time=1663223353897,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2022,MONTH=8,WEEK_OF_YEAR=38,WEEK_OF_MONTH=3,DAY_OF_MONTH=15,DAY_OF_YEAR=258,DAY_OF_WEEK=5,DAY_OF_WEEK_IN_MONTH=3,AM_PM=0,HOUR=6,HOUR_OF_DAY=6,MINUTE=29,SECOND=13,MILLISECOND=897,ZONE_OFFSET=0,DST_OFFSET=0]).
15.09.2022 11:58:23.949 *INFO* [qtp2135073923-4805] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
15.09.2022 11:58:23.950 *INFO* [qtp2135073923-4805] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
15.09.2022 11:58:24.074 *DEBUG* [qtp2135073923-4789] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.076 *DEBUG* [qtp2135073923-4758] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.103 *DEBUG* [qtp2135073923-4795] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.103 *DEBUG* [qtp2135073923-4804] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

 

I have generated keystore and uploaded at global truestore, same generated alias mapped with authentication handler.

 

Not able to resolve issue, any help will be apprecaited. 

Views

1.6K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
4 Replies

Avatar

Community Advisor
Community Advisor
9/15/22 12:19:51 AM

Please check

https://blogs.perficient.com/2019/06/24/simple-local-saml-integration-with-aem-gotchas/ 

https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-17481.html?lang=en 

Arun Patidar

AEM LinksLinkedIn

Views

1.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
9/15/22 5:30:38 AM
In response to arunpatidar

Hi @arunpatidar ,

 

Since my idp is keycloak so won't go through second link https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-17481.html?lang=en  for SSOCircle, however I tried with all suggestions which are inside first link https://blogs.perficient.com/2019/06/24/simple-local-saml-integration-with-aem-gotchas/ but still no luck, getting below error in saml.log

15.09.2022 17:57:53.162 *DEBUG* [qtp2135073923-5095] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 17:57:56.458 *DEBUG* [qtp2135073923-5203] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [saml:Assertion: null]. No signature.
15.09.2022 17:57:56.459 *DEBUG* [qtp2135073923-5203] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated:
15.09.2022 17:57:56.459 *INFO* [qtp2135073923-5203] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
15.09.2022 17:57:56.459 *INFO* [qtp2135073923-5203] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
15.09.2022 17:57:56.610 *DEBUG* [qtp2135073923-5095] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
12/10/23 2:04:55 AM

@kumamanish 

I know it's really late to answer this question. But I think it still makes sense to address this, considering the fact that the solution is not yet found. You can follow the below steps for further troubleshooting:

- Since SamlAuthenticationHandler is complaining about the private key of SP, I would suggest recreating and reuploading the certificate by following exactly the same steps explained here: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/saml-2-0-authen... (but honestly I think you don't even need that as you are not using encryption, so better remove the spPrivateKeyAlias)

- I think the key here is the message: SAML Token Invalid with notOnOrAfter violated. The Saml token which refers to content inside the tag: <samlp:Response></samlp:Response>, it has a validity which is called Assertion Lifespan. I would suggest you check it in the Keycloak dashboard and put a longer (5 or 10 minutes) lifespan.

You can find it in Keycloak: Client -> Client Details -> Advanced (tab) -> Advanced Settings -> Assertion Lifespan. 

See if this changes anything. 

For a complete reference: https://medium.com/@imrul001/comprehensive-guide-setting-up-saml-sso-between-keycloak-and-aem-0b134c...

    

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
11/25/24 6:24:49 AM

@kumamanish Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni

Views

366

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Migrating from 6.2 to 6.5 or from on-prem to AEMaaCS

Views

70

Likes

0

Replies

3
Integrate AEM with Azure Storage SDK on AEMAsCloud

Views

42

Likes

3

Replies

0
Unable to set cookie in sling model class

Views

130

Likes

0

Replies

3
2 questions in relation to custom OAK indexes

Views

95

Likes

0

Replies

1
2 questions in relation to custom OAK indexes

Views

106

Likes

0

Replies

1