Adobe Experience Manager Sites & More

kumamanish · 9/14/22

Hi,

I always get below error message,

IDP- Keycloak ( http://localhost:8180/auth/realms/aem)

IDP Client - aem-app

SP - AEM(http://localhost:4502)

SP-SAML-CONFIG - Authentication Handler

Logs:

- saml.log:-

--------------

15.09.2022 11:57:38.092 *DEBUG* [qtp2135073923-4803] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:23.949 *DEBUG* [qtp2135073923-4805] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [saml:Assertion: null]. No signature.
15.09.2022 11:58:23.949 *DEBUG* [qtp2135073923-4805] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1663223363949,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Asia/Calcutta",offset=19800000,dstSavings=0,useDaylight=false,transitions=7,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2022,MONTH=8,WEEK_OF_YEAR=38,WEEK_OF_MONTH=3,DAY_OF_MONTH=15,DAY_OF_YEAR=258,DAY_OF_WEEK=5,DAY_OF_WEEK_IN_MONTH=3,AM_PM=0,HOUR=11,HOUR_OF_DAY=11,MINUTE=59,SECOND=23,MILLISECOND=949,ZONE_OFFSET=19800000,DST_OFFSET=0] >= java.util.GregorianCalendar[time=1663223353897,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2022,MONTH=8,WEEK_OF_YEAR=38,WEEK_OF_MONTH=3,DAY_OF_MONTH=15,DAY_OF_YEAR=258,DAY_OF_WEEK=5,DAY_OF_WEEK_IN_MONTH=3,AM_PM=0,HOUR=6,HOUR_OF_DAY=6,MINUTE=29,SECOND=13,MILLISECOND=897,ZONE_OFFSET=0,DST_OFFSET=0]).
15.09.2022 11:58:23.949 *INFO* [qtp2135073923-4805] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
15.09.2022 11:58:23.950 *INFO* [qtp2135073923-4805] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
15.09.2022 11:58:24.074 *DEBUG* [qtp2135073923-4789] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.076 *DEBUG* [qtp2135073923-4758] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.103 *DEBUG* [qtp2135073923-4795] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 11:58:24.103 *DEBUG* [qtp2135073923-4804] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

I have generated keystore and uploaded at global truestore, same generated alias mapped with authentication handler.

Not able to resolve issue, any help will be apprecaited.

arunpatidar · 9/15/22

Please check

https://blogs.perficient.com/2019/06/24/simple-local-saml-integration-with-aem-gotchas/

https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-17481.html?lang=en

Arun Patidar

kumamanish · 9/15/22

Hi @arunpatidar ,

Since my idp is keycloak so won't go through second link https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-17481.html?lang=en for SSOCircle, however I tried with all suggestions which are inside first link https://blogs.perficient.com/2019/06/24/simple-local-saml-integration-with-aem-gotchas/ but still no luck, getting below error in saml.log

15.09.2022 17:57:53.162 *DEBUG* [qtp2135073923-5095] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
15.09.2022 17:57:56.458 *DEBUG* [qtp2135073923-5203] com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [saml:Assertion: null]. No signature.
15.09.2022 17:57:56.459 *DEBUG* [qtp2135073923-5203] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated:
15.09.2022 17:57:56.459 *INFO* [qtp2135073923-5203] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
15.09.2022 17:57:56.459 *INFO* [qtp2135073923-5203] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
15.09.2022 17:57:56.610 *DEBUG* [qtp2135073923-5095] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

A_H_M_Imrul · 12/10/23

@kumamanish

I know it's really late to answer this question. But I think it still makes sense to address this, considering the fact that the solution is not yet found. You can follow the below steps for further troubleshooting:

- Since SamlAuthenticationHandler is complaining about the private key of SP, I would suggest recreating and reuploading the certificate by following exactly the same steps explained here: https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/saml-2-0-authen... (but honestly I think you don't even need that as you are not using encryption, so better remove the spPrivateKeyAlias)

- I think the key here is the message: SAML Token Invalid with notOnOrAfter violated. The Saml token which refers to content inside the tag: <samlp:Response></samlp:Response>, it has a validity which is called Assertion Lifespan. I would suggest you check it in the Keycloak dashboard and put a longer (5 or 10 minutes) lifespan.

You can find it in Keycloak: Client -> Client Details -> Advanced (tab) -> Advanced Settings -> Assertion Lifespan.

See if this changes anything.

For a complete reference: https://medium.com/@imrul001/comprehensive-guide-setting-up-saml-sso-between-keycloak-and-aem-0b134c...

Adobe Experience Manager Sites & More

SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe