Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
Learn More
SOLVED

SAML POST from Okta IDP to AEMaaCS failing

Avatar

Level 4
Level 4
5/29/23 11:46:32 PM

We are doing SAML integration with Okta IDP on AEM Publisher and after doing all the required configurations, getting forbidden 403 when IDP is redirecting to AEM.

[26/May/2023:10:25:20 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "GET /content/cisco-dcloud/us/en/home/secure.html" 200 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com
[26/May/2023:10:25:23 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "POST /content/cisco-dcloud/saml_login" 403 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com

 

We have allowed the POST request to */saml_login in filter rules on dispatcher as shown below but still getting 403 on POST request:

 

# Allow SAML HTTP POST to ../saml_login end points
/0110 { /type "allow" /method "POST" /url "*/saml_login" }

 

Please suggest what can be the issue.

Views

426

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/30/23 1:41:52 AM

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2...

 

requesting you to please cross-check if all steps are implemented.

Aanchal Sikka

View solution in original post

Views

414

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
5/30/23 1:41:52 AM

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2...

 

requesting you to please cross-check if all steps are implemented.

Aanchal Sikka

Views

415

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
5/30/23 3:58:03 AM
In response to aanchal-sikka

@aanchal-sikka  - we have already done the required configurations for CORS and Referrer Filter configs as per below but still the issue persists.

 

CORS:

{

"alloworigin": [

"$[env:SAML_IDP_ORIGIN;default=http://www.okta.com]"

],

"allowedpaths": [

".*/saml_login"

],

"supportedmethods": [

"POST"

]

}

 

Referrer Filter:

{

"allow.empty": true,

"allow.hosts.regexp": "http://www.okta.com",

"allow.hosts": [

"$[env:SAML_IDP_REFERRER;default=http://www.okta.com]"

],

"filter.methods": [

"POST"

],

"exclude.agents.regexp": [ ]

}

Views

404

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/1/23 6:49:19 AM
In response to pardeepg4829047

The issue was with incorrect host in referrer filter. We identified the correct referrer from SAML response.

 

We changed the below entry to fix the issue:

 

$[env:SAML_IDP_REFERRER;default=http://www.okta.com]

 

to 

 

$[env:SAML_IDP_REFERRER;default=int-id.cisco.com]

Views

370

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to fetch multifield item's content from the below JSON in junits Solved

Views

104

Likes

0

Replies

3
How to access aem API for outside user . Solved

Views

136

Likes

0

Replies

3
How can I add localized descriptions to tags in the Tagging Edit page in AEM Solved

Views

94

Likes

0

Replies

3
Is it possible to have an optional variable in a Content Fragment GraphQL query

Views

58

Likes

0

Replies

0
How to create JSON for list of Content Fragments?

Views

79

Likes

0

Replies

2