Adobe Experience Manager Sites & More

Arun_Patidar · ‎02-04-2019

Hi,

We are trying to setup SAML in Author. when we access page in aem, request is going to to IDP and after providing login credentials, the post request is sent by IDP but AEM is treating this request as a normal post request and rejecting with error : Anonymous access is not allowed.

But the post request with saml response from IDP should create user and try to create login with user session.

We are not seeing any error in any of the logs.

Even there is no POST call captured in access or request log.

AEM version 6.3

Any suggestion/help would be appreciated?

jbrar · ‎02-04-2019

Hi Arun,

AEM will only process the IDP response if the SAML response is posted to "saml_login" path.

Make sure IDP is posting the SAML response to <HOST>/saml_login if path value is set to "/" and <HOST>/content/saml_login if path value is set to "/content"

Arun_Patidar · ‎03-04-2019

Thanks Jaideep,

We have set path=/content in SAML osgi config and idp posting at /sites.html. That could be the issue.

is it ok to post back at /sites.html/saml_login or should be /content/saml_login ?

jbrar · ‎03-04-2019

Arun,

Yes, you are right. the path variable and the Post back URL should match. In other words, if path variable is set to "/content", IDP should be posting back to <HOST>/content/saml_login"

Setting postback URL to "sites.html" or "assets.html" won't work.

Arun_Patidar · ‎03-04-2019

Thanks Jaideep.

Now we have changed it to /content/saml_login and POST request is attempting to login but we are getting below error in logs

Login failed. SAML taoken invalid

I have checked the value saml:Audience tag and SP Entity Id is same. Any idea what could be the reason.

jbrar · ‎03-04-2019

Seems like a config mismatch between AEM and IDP. Check the following:

Check if ds:signature is part of SAML assertion > If not, This is to be done on IDP end and check the checkbox for signed Assertion
Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec.
Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox

Check if SAML Certificate is in proper format:

Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
This can be then used to install in AEM truststore and match certificate details with IDP.

Dispatcher:

Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.

/0100 { /type "allow" /method "POST" /url "*/saml_login" }
Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format
<<<<<< Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" >>>>>

If this still an issue, log a ticket on daycare

Information to provide when raising a SAML related Support ticket:

SAML Request
SAML Response
SAML configuration
DEBUG logs for SAML (com.adobe.granite.auth.saml)
Error.log
HAR[1] file to extract SAML Request/Response

[1]https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file

Arun_Patidar · ‎03-04-2019

Thanks Jaideep,

dsig:Signature is present in SAML Assertion.
NameId format is same i.e. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SAML AudienceRestriction in SAML response value of this tag is same is the entity ID in SAML config
Certificate are correct
No dispatcher configured for author
Assertion from IDP is not encrypted.

we'll check idp configurations to find out issue.

jbrar · ‎07-04-2019

Hi Arun,

Did you figure out the issue?

Arun_Patidar · ‎08-04-2019

Hi Jaideep,

We are checking this with the team which are handling idp servers.

I'll post the findings once we identified the issue and get it resolved.

Arun_Patidar · ‎09-04-2019

This issue is with clock, after updating saml logger we got the full logs and found the issue.

For test, change the clock tolerance to -1, this ignored clock difference and works.

jbrar · ‎09-04-2019

Good to know the issue is resolved. I have created an helpx article[1] to list all the saml related issues for future reference.

[1] SAML related issues

Arun_Patidar · ‎09-04-2019

Thanks Jaideep, Thats good work

One more point

Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.

Where we need to run ntpdate -s pool.ntp.org command? SP or IDP server? or on any server?

If you want you can use below Exception to show this issue in above article :

SAML Response part

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml:SubjectConfirmationData NotOnOrAfter="2019-04-09T13:38:50.145Z" Recipient="https://localhost:4502/content/saml_login"/>

</saml:SubjectConfirmation>

Exception :

com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1554815392512,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Etc/UTC",offset=0,dstSavings=0,useDaylight=false,transitions=0,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=52,MILLISECOND=512,ZONE_OFFSET=0,DST_OFFSET=0]>=java.util.GregorianCalendar[time=1554815390145,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=50,MILLISECOND=145,ZONE_OFFSET=0,DST_OFFSET=0]).

jbrar · ‎09-04-2019

Arun,

Thanks for sharing details. I will add them to the article.

I would recommend running it on both AEM and IDP. All this command does is try to get the time from "pool.ntp.org" which is big virtual cluster of timeservers providing reliable easy to use NTP service.

Arun_Patidar · ‎10-04-2019

Thanks Jaideep.

Adobe Experience Manager Sites & More

SAML Response generates anonymous user session instead of creating user

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe