Highlighted

SAML Response generates anonymous user session instead of creating user

Arun_Patidar

MVP

02-04-2019

Hi,

We are trying to setup SAML in Author. when we access page in aem, request is going to to IDP and after providing login credentials, the post request is sent by IDP but AEM is treating this request as a normal post request and rejecting with error : Anonymous access is not allowed.

But the post request with saml response from IDP should create user and try to create login with user session.

We are not seeing any error in any of the logs.

Even there is no POST call captured in access or request log.

AEM version 6.3

Any suggestion/help would be appreciated?

Replies

Highlighted

jbrar

Employee

02-04-2019

Hi Arun,

AEM will only process the IDP response if the SAML response is posted to "saml_login" path.

Make sure IDP is posting the SAML response to <HOST>/saml_login if path value is set to "/" and <HOST>/content/saml_login if path value is set to "/content"

Highlighted

Arun_Patidar

MVP

03-04-2019

Thanks Jaideep,

We have set path=/content in SAML osgi config and idp posting at /sites.html. That could be the issue.

is it ok to post back at /sites.html/saml_login or should be /content/saml_login ?

Highlighted

jbrar

Employee

03-04-2019

Arun,

Yes, you are right. the path variable and the Post back URL should match. In other words, if path variable is set to "/content", IDP should be posting back to <HOST>/content/saml_login"

Setting postback URL to "sites.html" or "assets.html" won't work.

Highlighted

Arun_Patidar

MVP

03-04-2019

Thanks Jaideep.

Now we have changed it to /content/saml_login and POST request is attempting to login but we are getting below error in logs

Login failed. SAML taoken invalid

I have checked the value saml:Audience tag and SP Entity Id is same. Any idea what could be the reason.

Highlighted

jbrar

Employee

03-04-2019

Seems like a config mismatch between AEM and IDP. Check the following:

  • Check if ds:signature is part of SAML assertion > If not, This is to be done on IDP end and check the checkbox for signed Assertion
  • Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
  • Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
  • Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
  • Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec.
  • Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox

Check if SAML Certificate is in proper format:

  • Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
  • This can be then used to install in AEM truststore and match certificate details with IDP.

Dispatcher:

  • Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.

    /0100 { /type "allow" /method "POST" /url "*/saml_login" }
  • Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format
    <<<<<< Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" >>>>>

If this still an issue, log a ticket on daycare

Information to provide when raising a SAML related Support ticket:

  • SAML Request
  • SAML Response
  • SAML configuration
  • DEBUG logs for SAML (com.adobe.granite.auth.saml)
  • Error.log
  • HAR[1] file to extract SAML Request/Response

[1]https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file

Highlighted

Arun_Patidar

MVP

03-04-2019

Thanks Jaideep,

  • dsig:Signature is present in SAML Assertion.
  • NameId format is same i.e. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • SAML AudienceRestriction in SAML response value of this tag is same is the entity ID in SAML config
  • Certificate are correct
  • No dispatcher configured for author
  • Assertion from IDP is not encrypted.

we'll check idp configurations to find out issue.

Highlighted

Arun_Patidar

MVP

08-04-2019

Hi Jaideep,

We are checking this with the team which are handling idp servers.

I'll post the findings once we identified the issue and get it resolved.

Highlighted

Arun_Patidar

MVP

09-04-2019

This issue is with clock, after updating saml logger we got the full logs and found the issue.

For test, change the clock tolerance to -1, this ignored clock difference and works.