Expand my Community achievements bar.

SOLVED

SAML POST from Okta IDP to AEMaaCS failing

Avatar

Level 2
Level 2
5/29/23 11:46:32 PM

We are doing SAML integration with Okta IDP on AEM Publisher and after doing all the required configurations, getting forbidden 403 when IDP is redirecting to AEM.

[26/May/2023:10:25:20 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "GET /content/cisco-dcloud/us/en/home/secure.html" 200 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com
[26/May/2023:10:25:23 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "POST /content/cisco-dcloud/saml_login" 403 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com

 

We have allowed the POST request to */saml_login in filter rules on dispatcher as shown below but still getting 403 on POST request:

 

# Allow SAML HTTP POST to ../saml_login end points
/0110 { /type "allow" /method "POST" /url "*/saml_login" }

 

Please suggest what can be the issue.

Views

360

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/30/23 1:41:52 AM

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2...

 

requesting you to please cross-check if all steps are implemented.

Aanchal Sikka

View solution in original post

Views

348

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
5/30/23 1:41:52 AM

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2...

 

requesting you to please cross-check if all steps are implemented.

Aanchal Sikka

Views

349

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
5/30/23 3:58:03 AM
In response to aanchal-sikka

@aanchal-sikka  - we have already done the required configurations for CORS and Referrer Filter configs as per below but still the issue persists.

 

CORS:

{

"alloworigin": [

"$[env:SAML_IDP_ORIGIN;default=http://www.okta.com]"

],

"allowedpaths": [

".*/saml_login"

],

"supportedmethods": [

"POST"

]

}

 

Referrer Filter:

{

"allow.empty": true,

"allow.hosts.regexp": "http://www.okta.com",

"allow.hosts": [

"$[env:SAML_IDP_REFERRER;default=http://www.okta.com]"

],

"filter.methods": [

"POST"

],

"exclude.agents.regexp": [ ]

}

Views

338

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/1/23 6:49:19 AM
In response to pardeepg4829047

The issue was with incorrect host in referrer filter. We identified the correct referrer from SAML response.

 

We changed the below entry to fix the issue:

 

$[env:SAML_IDP_REFERRER;default=http://www.okta.com]

 

to 

 

$[env:SAML_IDP_REFERRER;default=int-id.cisco.com]

Views

304

Replies

0
Sign in to like this content

Total Likes

Translate
Translate