We are trying to setup SAML in Author. when we access page in aem, request is going to to IDP and after providing login credentials, the post request is sent by IDP but AEM is treating this request as a normal post request and rejecting with error : Anonymous access is not allowed.
But the post request with saml response from IDP should create user and try to create login with user session.
We are not seeing any error in any of the logs.
Even there is no POST call captured in access or request log.
AEM version 6.3
Any suggestion/help would be appreciated?
AEM will only process the IDP response if the SAML response is posted to "saml_login" path.
Make sure IDP is posting the SAML response to <HOST>/saml_login if path value is set to "/" and <HOST>/content/saml_login if path value is set to "/content"
We have set path=/content in SAML osgi config and idp posting at /sites.html. That could be the issue.
is it ok to post back at /sites.html/saml_login or should be /content/saml_login ?
Yes, you are right. the path variable and the Post back URL should match. In other words, if path variable is set to "/content", IDP should be posting back to <HOST>/content/saml_login"
Setting postback URL to "sites.html" or "assets.html" won't work.
Now we have changed it to /content/saml_login and POST request is attempting to login but we are getting below error in logs
Login failed. SAML taoken invalid
I have checked the value saml:Audience tag and SP Entity Id is same. Any idea what could be the reason.
Seems like a config mismatch between AEM and IDP. Check the following:
Check if SAML Certificate is in proper format:
If this still an issue, log a ticket on daycare
Information to provide when raising a SAML related Support ticket:
we'll check idp configurations to find out issue.
Did you figure out the issue?
We are checking this with the team which are handling idp servers.
I'll post the findings once we identified the issue and get it resolved.
This issue is with clock, after updating saml logger we got the full logs and found the issue.
For test, change the clock tolerance to -1, this ignored clock difference and works.