Adobe Experience Manager Sites & More

Sai_Krishna_1404 · 3/9/20

Hi All, I am trying to integrate the okta SAML to AEM. I have updated required SAML config, from the dispatcher to certain path in SAML it is re-directing to the SSO page, after successful login it is going to infinite loop.

when I tail the logs, I see below error log:

10.03.2020 05:24:18.393 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:18.773 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.111 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.404 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.693 *DEBUG* [qtp466302136-56955] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

SAML Config:

<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
path="[/content/digital]"
service.ranking="5002"
idpUrl="https://ssologin/app/sso/saml"
idpHttpRedirect="{Boolean}false"
serviceProviderEntityId="https://dev1-www.com"
defaultRedirectUrl="/content/digital/home"
userIDAttribute=""
useEncryption="{Boolean}false"
createUser="{Boolean}true"
addGroupMemberships="{Boolean}true"
defaultGroups="[content-authors]"
groupMembershipAttribute="groupId"
idpCertAlias="certalias___11111111"
keyStorePassword="admin123"
logoutUrl=""
handleLogout="{Boolean}true"
nameIdFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
synchronizeAttributes="[FirstName=profile/givenName,LastName=profile/familyName,emailAddress=profile/email]" />

For Okta Configs:
Single Sign on URL : https://dev1-www.com/content/digital/saml_login
SP EntityID: https://dev1-www.com/

I have mentioned in SAML config "useEncryption="{Boolean}false" as false, So, I will not provide SP keys for authentication-service. But I need POST assertion need to be consumed to AEM, Not sure what I am doing it wrong. Please suggest if I am missing any.

Thanks in advance!

Jaideep_Brar · 3/10/20

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

View solution in original post

Jaideep_Brar · 3/10/20

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

midhun1909 · 3/22/21

Hi,

I am facing the same issue. Did you get any resolution?

Sai_Krishna_1404 · 3/28/21

Hi @midhun1909,

I added IdpUrl domain whitelisted in AEM OSGI Sling Referrer Filter(org.apache.sling.security.impl.ReferrerFilter.xml), which will allow external domain to create user in AEM. Try adding host in the configMgr, Hope it resolves the issue, Thanks!

Adobe Experience Manager Sites & More

SAML integration with Okta to AEM 6.4

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe