I am working on use case where we are integrating SAML with our application , basically for new user login we are setting up createUser as false so that whenever user is logged in from IDP server , that user should not create in AEM .
For existing user in AEM publish environment , it should redirect to our portal , here no group is being return in Assertion response .Below is my SAML config
{
"path": [ "/content/csc-aem-commons/us/en", "/content/ipg-asc"],
"idpCertAlias": "$[env:SAML_IDP_CERT_ALIAS;default=certalias___1732570622676]",
"idpIdentifier": "$[env:SAML_IDP_ID;default=https://login.microsoftonline.com/d026e4c1-5892-497a-b9da-ee493c9f0364]",
"idpUrl": "$[env:SAML_IDP_URL;default=https://login.microsoftonline.com/d026e4c1-5892-497a-b9da-ee493c9f0364/saml2]",
"serviceProviderEntityId": "$[env:SAML_AEM_ID;default=https://publish-p135571-e1386830.adobeaemcloud.com]",
"useEncryption": false,
"userIDAttribute": "",
"createUser": false,
"userIntermediatePath": "ipg/idp",
"synchronizeAttributes":[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=profile/email",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=profile/givenName",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=profile/familyName"
],
"addGroupMemberships": true,
"groupMembershipAttribute": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"defaultGroups": [
"Aem_deu_glb_agency_user"
],
"handleLogout":true
}
Problem : we are getting an error for existin user as login token is not found , can someone help how can we fix this
Getting this error
[qtp1635739700-1008] com.adobe.granite.auth.saml.extidp.DefaultUserSync User synchronization failed: Could not access repository.
javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository
at com.day.crx.security.token.TokenUtil.createCredentials(TokenUtil.java:103) [com.day.crx.sling.crx-auth-token:2.8.0]
at com.adobe.granite.auth.saml.extidp.DefaultUserSync.process(DefaultUserSync.java:107) [com.adobe.granite.auth.saml:1.0.62]
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.syncUser(SamlAuthenticationHandler.java:947) [com.adobe.granite.auth.saml:1.0.62]
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:939) [com.adobe.granite.auth.saml:1.0.62]
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:551) [com.adobe.granite.auth.saml:1.0.62]
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:77) [org.apache.sling.auth.core:1.6.2]
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.6.2]
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:664) [org.apache.sling.auth.core:1.6.2]
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:453) [org.apache.sling.auth.core:1.6.2]
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:427) [org.apache.sling.auth.core:1.6.2]
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:122) [org.apache.sling.engine:2.15.18]
at org.apache.felix.http.base.internal.wrappers.ServletContextHelperWrapper.handleSecurity(ServletContextHelperWrapper.java:48) [org.apache.felix.http.jetty:5.1.26]
at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:88) [org.apache.felix.http.jetty:5.1.26]
at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58)
