Adobe Experience Manager

Hi Arun,

AEM will only process the IDP response if the SAML response is posted to "saml_login" path.

Make sure IDP is posting the SAML response to <HOST>/saml_login if path value is set to "/" and <HOST>/content/saml_login if path value is set to "/content"

Thanks Jaideep,

We have set path=/content in SAML osgi config and idp posting at /sites.html. That could be the issue.

is it ok to post back at /sites.html/saml_login or should be /content/saml_login ?

Arun,

Yes, you are right. the path variable and the Post back URL should match. In other words, if path variable is set to "/content", IDP should be posting back to <HOST>/content/saml_login"

Setting postback URL to "sites.html" or "assets.html" won't work.

Thanks Jaideep.

Now we have changed it to /content/saml_login and POST request is attempting to login but we are getting below error in logs

Login failed. SAML taoken invalid

I have checked the value saml:Audience tag and SP Entity Id is same. Any idea what could be the reason.

Seems like a config mismatch between AEM and IDP. Check the following:

• Check if ds:signature is part of SAML assertion > If not, This is to be done on IDP end and check the checkbox for signed Assertion
• Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
• Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
• Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
• Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec.
• Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox

Check if SAML Certificate is in proper format:

• Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
• This can be then used to install in AEM truststore and match certificate details with IDP.

Dispatcher:

• Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.
  
  /0100 { /type "allow" /method "POST" /url "*/saml_login" }
• Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format
  <<<<<< Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" >>>>>

If this still an issue, log a ticket on daycare

Information to provide when raising a SAML related Support ticket:

• SAML Request
• SAML Response
• SAML configuration
• DEBUG logs for SAML (com.adobe.granite.auth.saml)
• Error.log
• HAR[1] file to extract SAML Request/Response

[1]https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file

Thanks Jaideep,

• dsig:Signature is present in SAML Assertion.
• NameId format is same i.e. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• SAML AudienceRestriction in SAML response value of this tag is same is the entity ID in SAML config
• Certificate are correct
• No dispatcher configured for author
• Assertion from IDP is not encrypted.

we'll check idp configurations to find out issue.

Hi Arun,

Did you figure out the issue?

Hi Jaideep,

We are checking this with the team which are handling idp servers.

I'll post the findings once we identified the issue and get it resolved.

This issue is with clock, after updating saml logger we got the full logs and found the issue.

For test, change the clock tolerance to -1, this ignored clock difference and works.