Hi All, I am trying to integrate the okta SAML to AEM. I have updated required SAML config, from the dispatcher to certain path in SAML it is re-directing to the SSO page, after successful login it is going to infinite loop.
when I tail the logs, I see below error log:
10.03.2020 05:24:18.393 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 10.03.2020 05:24:18.773 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 10.03.2020 05:24:19.111 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 10.03.2020 05:24:19.404 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 10.03.2020 05:24:19.693 *DEBUG* [qtp466302136-56955] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
SAML Config:
<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
path="[/content/digital]"
service.ranking="5002"
idpUrl="https://ssologin/app/sso/saml"
idpHttpRedirect="{Boolean}false"
serviceProviderEntityId="https://dev1-www.com"
defaultRedirectUrl="/content/digital/home"
userIDAttribute=""
useEncryption="{Boolean}false"
createUser="{Boolean}true"
addGroupMemberships="{Boolean}true"
defaultGroups="[content-authors]"
groupMembershipAttribute="groupId"
idpCertAlias="certalias___11111111"
keyStorePassword="admin123"
logoutUrl=""
handleLogout="{Boolean}true"
nameIdFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
synchronizeAttributes="[FirstName=profile/givenName,LastName=profile/familyName,emailAddress=profile/email]" />
For Okta Configs:
Single Sign on URL : https://dev1-www.com/content/digital/saml_login
SP EntityID: https://dev1-www.com/
I have mentioned in SAML config "useEncryption="{Boolean}false" as false, So, I will not provide SP keys for authentication-service. But I need POST assertion need to be consumed to AEM, Not sure what I am doing it wrong. Please suggest if I am missing any.
Thanks in advance!
Solved! Go to Solution.
Views
Replies
Total Likes
Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"
Views
Replies
Total Likes
Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"
Views
Replies
Total Likes
Hi,
I am facing the same issue. Did you get any resolution?
Views
Replies
Total Likes
Hi @midhun1909,
I added IdpUrl domain whitelisted in AEM OSGI Sling Referrer Filter(org.apache.sling.security.impl.ReferrerFilter.xml), which will allow external domain to create user in AEM. Try adding host in the configMgr, Hope it resolves the issue, Thanks!
Views
Replies
Total Likes
Views
Like
Replies