Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SAML Response generates anonymous user session instead of creating user
Hi,
We are trying to setup SAML in Author. when we access page in aem, request is going to to IDP and after providing login credentials, the post request is sent by IDP but AEM is treating this request as a normal post request and rejecting with error : Anonymous access is not allowed.
But the post request with saml response from IDP should create user and try to create login with user session.
We are not seeing any error in any of the logs.
Even there is no POST call captured in access or request log.
AEM version 6.3
Any suggestion/help would be appreciated?
Arun Patidar
Thanks Jaideep,
We have set path=/content in SAML osgi config and idp posting at /sites.html. That could be the issue.
is it ok to post back at /sites.html/saml_login or should be /content/saml_login ?
Arun Patidar
Thanks Jaideep.
Now we have changed it to /content/saml_login and POST request is attempting to login but we are getting below error in logs
Login failed. SAML taoken invalid
I have checked the value saml:Audience tag and SP Entity Id is same. Any idea what could be the reason.
Arun Patidar
Thanks Jaideep,
- dsig:Signature is present in SAML Assertion.
- NameId format is same i.e. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- SAML AudienceRestriction in SAML response value of this tag is same is the entity ID in SAML config
- Certificate are correct
- No dispatcher configured for author
- Assertion from IDP is not encrypted.
we'll check idp configurations to find out issue.
Arun Patidar
Hi Jaideep,
We are checking this with the team which are handling idp servers.
I'll post the findings once we identified the issue and get it resolved.
Arun Patidar
This issue is with clock, after updating saml logger we got the full logs and found the issue.
For test, change the clock tolerance to -1, this ignored clock difference and works.
Arun Patidar
Thanks Jaideep, Thats good work 
One more point
- Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
Where we need to run ntpdate -s pool.ntp.org command? SP or IDP server? or on any server?
If you want you can use below Exception to show this issue in above article :
SAML Response part
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-04-09T13:38:50.145Z" Recipient="https://localhost:4502/content/saml_login"/>
</saml:SubjectConfirmation>
Exception :
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: notOnOrAfter violated: (java.util.GregorianCalendar[time=1554815392512,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Etc/UTC",offset=0,dstSavings=0,useDaylight=false,transitions=0,lastRule=null],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=52,MILLISECOND=512,ZONE_OFFSET=0,DST_OFFSET=0]>=java.util.GregorianCalendar[time=1554815390145,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=java.util.SimpleTimeZone[id=UTC,offset=0,dstSavings=3600000,useDaylight=false,startYear=0,startMode=0,startMonth=0,startDay=0,startDayOfWeek=0,startTime=0,startTimeMode=0,endMode=0,endMonth=0,endDay=0,endDayOfWeek=0,endTime=0,endTimeMode=0],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=3,WEEK_OF_YEAR=15,WEEK_OF_MONTH=2,DAY_OF_MONTH=9,DAY_OF_YEAR=99,DAY_OF_WEEK=3,DAY_OF_WEEK_IN_MONTH=2,AM_PM=1,HOUR=1,HOUR_OF_DAY=13,MINUTE=9,SECOND=50,MILLISECOND=145,ZONE_OFFSET=0,DST_OFFSET=0]).
Arun Patidar
Related Conversations
