Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

SAML integration with Okta to AEM 6.4

Avatar

Level 2

Hi All, I am trying to integrate the okta SAML to AEM. I have updated required SAML config, from the dispatcher to certain path in SAML it is re-directing to the SSO page, after successful login it is going to infinite loop.

 

when I tail the logs, I see below error log:

10.03.2020 05:24:18.393 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:18.773 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.111 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.404 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.693 *DEBUG* [qtp466302136-56955] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

 SAML Config:

<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
path="[/content/digital]"
service.ranking="5002"
idpUrl="https://ssologin/app/sso/saml"
idpHttpRedirect="{Boolean}false"
serviceProviderEntityId="https://dev1-www.com"
defaultRedirectUrl="/content/digital/home"
userIDAttribute=""
useEncryption="{Boolean}false"
createUser="{Boolean}true"
addGroupMemberships="{Boolean}true"
defaultGroups="[content-authors]"
groupMembershipAttribute="groupId"
idpCertAlias="certalias___11111111"
keyStorePassword="admin123"
logoutUrl=""
handleLogout="{Boolean}true"
nameIdFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
synchronizeAttributes="[FirstName=profile/givenName,LastName=profile/familyName,emailAddress=profile/email]" />

 

For Okta Configs:
Single Sign on URL : https://dev1-www.com/content/digital/saml_login
SP EntityID: https://dev1-www.com/

 

I have mentioned in SAML config "useEncryption="{Boolean}false" as false, So, I will not provide SP keys for authentication-service. But I need POST assertion need to be consumed to AEM, Not sure what I am doing it wrong. Please suggest if I am missing any.

 

Thanks in advance!

 

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

View solution in original post

3 Replies

Avatar

Correct answer by
Employee Advisor

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

Avatar

Level 1

Hi,

I am facing the same issue. Did you get any resolution?

 

Avatar

Level 2

Hi @midhun1909,

 

I added IdpUrl domain whitelisted in AEM OSGI Sling Referrer Filter(org.apache.sling.security.impl.ReferrerFilter.xml), which will allow external domain to create user in AEM. Try adding host in the configMgr, Hope it resolves the issue, Thanks!