Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

SAML Response generates anonymous user session instead of creating user

Avatar

Community Advisor

Hi,

We are trying to setup SAML in Author. when we access page in aem, request is going to to IDP and after providing login credentials, the post request is sent by IDP but AEM is treating this request as a normal post request and rejecting with error : Anonymous access is not allowed.

But the post request with saml response from IDP should create user and try to create login with user session.

We are not seeing any error in any of the logs.

Even there is no POST call captured in access or request log.

AEM version 6.3

Any suggestion/help would be appreciated?



Arun Patidar
13 Replies

Avatar

Employee Advisor

Hi Arun,

AEM will only process the IDP response if the SAML response is posted to "saml_login" path.

Make sure IDP is posting the SAML response to <HOST>/saml_login if path value is set to "/" and <HOST>/content/saml_login if path value is set to "/content"

Avatar

Community Advisor

Thanks Jaideep,

We have set path=/content in SAML osgi config and idp posting at /sites.html. That could be the issue.

is it ok to post back at /sites.html/saml_login or should be /content/saml_login ?



Arun Patidar

Avatar

Employee Advisor

Arun,

Yes, you are right. the path variable and the Post back URL should match. In other words, if path variable is set to "/content", IDP should be posting back to <HOST>/content/saml_login"

Setting postback URL to "sites.html" or "assets.html" won't work.

Avatar

Community Advisor

Thanks Jaideep.

Now we have changed it to /content/saml_login and POST request is attempting to login but we are getting below error in logs

Login failed. SAML taoken invalid

I have checked the value saml:Audience tag and SP Entity Id is same. Any idea what could be the reason.



Arun Patidar

Avatar

Employee Advisor

Seems like a config mismatch between AEM and IDP. Check the following:

  • Check if ds:signature is part of SAML assertion > If not, This is to be done on IDP end and check the checkbox for signed Assertion
  • Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
  • Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
  • Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
  • Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec.
  • Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox

Check if SAML Certificate is in proper format:

  • Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
  • This can be then used to install in AEM truststore and match certificate details with IDP.

Dispatcher:

  • Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.

    /0100 { /type "allow" /method "POST" /url "*/saml_login" }
  • Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format
    <<<<<< Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" >>>>>

If this still an issue, log a ticket on daycare

Information to provide when raising a SAML related Support ticket:

  • SAML Request
  • SAML Response
  • SAML configuration
  • DEBUG logs for SAML (com.adobe.granite.auth.saml)
  • Error.log
  • HAR[1] file to extract SAML Request/Response

[1]https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file

Avatar

Community Advisor

Thanks Jaideep,

  • dsig:Signature is present in SAML Assertion.
  • NameId format is same i.e. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • SAML AudienceRestriction in SAML response value of this tag is same is the entity ID in SAML config
  • Certificate are correct
  • No dispatcher configured for author
  • Assertion from IDP is not encrypted.

we'll check idp configurations to find out issue.



Arun Patidar

Avatar

Employee Advisor

Hi Arun,

Did you figure out the issue?

Avatar

Community Advisor

Hi Jaideep,

We are checking this with the team which are handling idp servers.

I'll post the findings once we identified the issue and get it resolved.



Arun Patidar

Avatar

Community Advisor

This issue is with clock, after updating saml logger we got the full logs and found the issue.

For test, change the clock tolerance to -1, this ignored clock difference and works.



Arun Patidar

Avatar

Employee Advisor

Good to know the issue is resolved. I have created an helpx article[1] to list all the saml related issues for future reference.

[1] SAML related issues

Avatar

Community Advisor

Thanks Jaideep, Thats good work

One more point

  • Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.

Where we need to run ntpdate -s pool.ntp.org command? SP or IDP server? or on any server?

If you want you can use below Exception to show this issue in above article :

SAML Response part

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

    <saml:SubjectConfirmationData NotOnOrAfter="2019-04-09T13:38:50.145Z" Recipient="https://localhost:4502/content/saml_login"/>

</saml:SubjectConfirmation>

Exception :

com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1554815392512,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Etc/UTC",offset=0,dstSavings=0,useDaylight=false,transitions=0,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=52,MILLISECOND=512,ZONE_OFFSET=0,DST_OFFSET=0]>=java.util.GregorianCalendar[time=1554815390145,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=50,MILLISECOND=145,ZONE_OFFSET=0,DST_OFFSET=0]).



Arun Patidar

Avatar

Employee Advisor

Arun,

Thanks for sharing details. I will add them to the article.

I would recommend running it on both AEM and IDP. All this command does is try to get the time from "pool.ntp.org" which is big virtual cluster of timeservers providing reliable easy to use NTP service.