Expand my Community achievements bar.

SOLVED

SAML POST from Okta IDP to AEMaaCS failing

Avatar

Level 4

We are doing SAML integration with Okta IDP on AEM Publisher and after doing all the required configurations, getting forbidden 403 when IDP is redirecting to AEM.

[26/May/2023:10:25:20 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "GET /content/cisco-dcloud/us/en/home/secure.html" 200 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com
[26/May/2023:10:25:23 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "POST /content/cisco-dcloud/saml_login" 403 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com

 

We have allowed the POST request to */saml_login in filter rules on dispatcher as shown below but still getting 403 on POST request:

 

# Allow SAML HTTP POST to ../saml_login end points
/0110 { /type "allow" /method "POST" /url "*/saml_login" }

 

Please suggest what can be the issue.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2...

 

requesting you to please cross-check if all steps are implemented.


Aanchal Sikka

View solution in original post

3 Replies

Avatar

Correct answer by
Community Advisor

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2...

 

requesting you to please cross-check if all steps are implemented.


Aanchal Sikka

Avatar

Level 4

@aanchal-sikka  - we have already done the required configurations for CORS and Referrer Filter configs as per below but still the issue persists.

 

CORS:

{

"alloworigin": [

"$[env:SAML_IDP_ORIGIN;default=http://www.okta.com]"

],

"allowedpaths": [

".*/saml_login"

],

"supportedmethods": [

"POST"

]

}

 

Referrer Filter:

{

"allow.empty": true,

"allow.hosts.regexp": "http://www.okta.com",

"allow.hosts": [

"$[env:SAML_IDP_REFERRER;default=http://www.okta.com]"

],

"filter.methods": [

"POST"

],

"exclude.agents.regexp": [ ]

}

The issue was with incorrect host in referrer filter. We identified the correct referrer from SAML response.

 

We changed the below entry to fix the issue:

 

$[env:SAML_IDP_REFERRER;default=http://www.okta.com]

 

to 

 

$[env:SAML_IDP_REFERRER;default=int-id.cisco.com]