Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

SAML integration with Okta to AEM 6.4

Sai_Krishna_1404
Level 1
Level 1

Hi All, I am trying to integrate the okta SAML to AEM. I have updated required SAML config, from the dispatcher to certain path in SAML it is re-directing to the SSO page, after successful login it is going to infinite loop.

 

when I tail the logs, I see below error log:

10.03.2020 05:24:18.393 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:18.773 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.111 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.404 *DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
10.03.2020 05:24:19.693 *DEBUG* [qtp466302136-56955] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

 SAML Config:

<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
path="[/content/digital]"
service.ranking="5002"
idpUrl="https://ssologin/app/sso/saml"
idpHttpRedirect="{Boolean}false"
serviceProviderEntityId="https://dev1-www.com"
defaultRedirectUrl="/content/digital/home"
userIDAttribute=""
useEncryption="{Boolean}false"
createUser="{Boolean}true"
addGroupMemberships="{Boolean}true"
defaultGroups="[content-authors]"
groupMembershipAttribute="groupId"
idpCertAlias="certalias___11111111"
keyStorePassword="admin123"
logoutUrl=""
handleLogout="{Boolean}true"
nameIdFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
synchronizeAttributes="[FirstName=profile/givenName,LastName=profile/familyName,emailAddress=profile/email]" />

 

For Okta Configs:
Single Sign on URL : https://dev1-www.com/content/digital/saml_login
SP EntityID: https://dev1-www.com/

 

I have mentioned in SAML config "useEncryption="{Boolean}false" as false, So, I will not provide SP keys for authentication-service. But I need POST assertion need to be consumed to AEM, Not sure what I am doing it wrong. Please suggest if I am missing any.

 

Thanks in advance!

 

1 Accepted Solution
jbrar
Correct answer by
Employee
Employee

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

View solution in original post

3 Replies
jbrar
Correct answer by
Employee
Employee

Looks like the SAML servlet in AEM is not getting invoked. Can you change the SAML path variable to "/" and have the OKTA configuration send the response to "https://dev1-www.com/saml_login"

View solution in original post

midhun1909
Level 1
Level 1

Hi,

I am facing the same issue. Did you get any resolution?

 

Sai_Krishna_1404
Level 1
Level 1

Hi @midhun1909,

 

I added IdpUrl domain whitelisted in AEM OSGI Sling Referrer Filter(org.apache.sling.security.impl.ReferrerFilter.xml), which will allow external domain to create user in AEM. Try adding host in the configMgr, Hope it resolves the issue, Thanks!