Expand my Community achievements bar.

SOLVED

SAML integration with Okta to AEM 6.4

Avatar

Level 2

Hi All, I am trying to integrate the okta SAML to AEM. I have updated required SAML config, from the dispatcher to certain path in SAML it is re-directing to the SSO page, after successful login it is going to infinite loop.

 

when I tail the logs, I see below error log:

10.03.2020 05:24:18.393 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:18.773 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.111 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.404 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.693 *DEBUG* [qtp466302136-56955] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

 SAML Config:

<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
path="[/content/digital]"
service.ranking="5002"
idpUrl="https://ssologin/app/sso/saml"
idpHttpRedirect="{Boolean}false"
serviceProviderEntityId="https://dev1-www.com"
defaultRedirectUrl="/content/digital/home"
userIDAttribute=""
useEncryption="{Boolean}false"
createUser="{Boolean}true"
addGroupMemberships="{Boolean}true"
defaultGroups="[content-authors]"
groupMembershipAttribute="groupId"
idpCertAlias="certalias___11111111"
keyStorePassword="admin123"
logoutUrl=""
handleLogout="{Boolean}true"
nameIdFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
synchronizeAttributes="[FirstName=profile/givenName,LastName=profile/familyName,emailAddress=profile/email]" />

 

For Okta Configs:
Single Sign on URL : https://dev1-www.com/content/digital/saml_login
SP EntityID: https://dev1-www.com/

 

I have mentioned in SAML config "useEncryption="{Boolean}false" as false, So, I will not provide SP keys for authentication-service. But I need POST assertion need to be consumed to AEM, Not sure what I am doing it wrong. Please suggest if I am missing any.

 

Thanks in advance!

 

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

View solution in original post

3 Replies

Avatar

Correct answer by
Employee Advisor

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

Avatar

Level 2

Hi,

I am facing the same issue. Did you get any resolution?

 

Avatar

Level 2

Hi @midhun1909,

 

I added IdpUrl domain whitelisted in AEM OSGI Sling Referrer Filter(org.apache.sling.security.impl.ReferrerFilter.xml), which will allow external domain to create user in AEM. Try adding host in the configMgr, Hope it resolves the issue, Thanks!