This conversation has been locked due to inactivity. Please create a new post.
 
     
     
    
            
          
This conversation has been locked due to inactivity. Please create a new post.
          
        
Hi,
We are trying to setup SAML in Author. when we access page in aem, request is going to to IDP and after providing login credentials, the post request is sent by IDP but AEM is treating this request as a normal post request and rejecting with error : Anonymous access is not allowed.
But the post request with saml response from IDP should create user and try to create login with user session.
We are not seeing any error in any of the logs.
Even there is no POST call captured in access or request log.
AEM version 6.3
Any suggestion/help would be appreciated?
Views
Replies
Total Likes
          
        
Hi Arun,
AEM will only process the IDP response if the SAML response is posted to "saml_login" path.
Make sure IDP is posting the SAML response to <HOST>/saml_login if path value is set to "/" and <HOST>/content/saml_login if path value is set to "/content"
Views
Replies
Total Likes
          
        
Views
Replies
Total Likes
          
        
Arun,
Yes, you are right. the path variable and the Post back URL should match. In other words, if path variable is set to "/content", IDP should be posting back to <HOST>/content/saml_login"
Setting postback URL to "sites.html" or "assets.html" won't work.
Views
Replies
Total Likes
          
        
Views
Replies
Total Likes
          
        
Seems like a config mismatch between AEM and IDP. Check the following:
Check if SAML Certificate is in proper format:
Dispatcher:
If this still an issue, log a ticket on daycare
Information to provide when raising a SAML related Support ticket:
[1]https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file
Views
Replies
Total Likes
          
        
Thanks Jaideep,
we'll check idp configurations to find out issue.
Views
Replies
Total Likes
          
        
Hi Arun,
Did you figure out the issue?
Views
Replies
Total Likes
          
        
Views
Replies
Total Likes
          
        
Views
Replies
Total Likes
          
        
Good to know the issue is resolved. I have created an helpx article[1] to list all the saml related issues for future reference.
Views
Replies
Total Likes
          
        
Thanks Jaideep, Thats good work 
One more point
Where we need to run ntpdate -s pool.ntp.org command? SP or IDP server? or on any server?
If you want you can use below Exception to show this issue in above article :
SAML Response part
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-04-09T13:38:50.145Z" Recipient="https://localhost:4502/content/saml_login"/>
</saml:SubjectConfirmation>
Exception :
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1554815392512,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Etc/UTC",offset=0,dstSavings=0,useDaylight=false,transitions=0,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=52,MILLISECOND=512,ZONE_OFFSET=0,DST_OFFSET=0]>=java.util.GregorianCalendar[time=1554815390145,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=50,MILLISECOND=145,ZONE_OFFSET=0,DST_OFFSET=0]).
Views
Replies
Total Likes
          
        
Arun,
Thanks for sharing details. I will add them to the article.
I would recommend running it on both AEM and IDP. All this command does is try to get the time from "pool.ntp.org" which is big virtual cluster of timeservers providing reliable easy to use NTP service.
Views
Replies
Total Likes
          
        
Views
Replies
Total Likes
 
					
				
				
			
		
Views
Likes
Replies
Views
Like
Replies
Views
Likes
Replies
Views
Likes
Replies