I have one last error!!! I have followed all the instructions in AEM documentation from what I can tell.
The redirect to login.microsoft.com works.
It redirects to /content/saml_login (also used /saml_login) - It returns a 403 error.
I inspected the payload and decode base 64 - looks pretty good!
I turned on TRACE for SAML in AEM
This is the response.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
I've unchecked and checked create User and add to groups (every combination) - no luck.
I've uploaded the certificate to Trust store several times and ensured password is good. Tried mapping to user in this last try. No luck.
Created a Truststore for admin user - still no luck (didn't upload a cert to admin user)
Unchecked "Use encryption" - no luck.
Please, please, please, I need some other ideas . . . thanks.
Below are strategic screenshots
Solved! Go to Solution.
Views
Replies
Total Likes
Ok, I had a call with Adobe support and I think we figured it out.
The /saml_login was getting a 403 because it was not contained within the authenticated path.
For example, if my SAML authentication path is /aem - I would need to configure /aem/saml_login as the reply URL. This make the saml_login within the authenticated path of /aem.
Once this change was made, I was able to get passed the 403 error, but then we had permissions issue so, /aem/start.html would not load. I had to add the correct permissions to the group "AzureUsers" in order for the authenticated user to see AEM.
All is good now. Thank you for your help.
Hello @crich2784
Please check for following as suggested in the blog post:
Issue-1: ‘Resource at ‘/saml_login’ not found: No resource found’ due to intermittent GET requests.
Resolution: The “saml_login” Servlet only handles POST requests. Hence, if you noticing intermittent GET requests, resulting in resource not found error, then deny GET request to “/saml_login” on Author.
Add the following filter rule to Dispatcher
/0207 { /type "deny" /method "GET" /url "*/saml_login" }
Issue-3: ‘Resource at ‘/saml_login’ not found: No resource found’ for POST requests.
Resolution: Assure that “POST” request isn’t blocked on dispatcher level. Following filter rule should be available
/0208 { /type "allow" /method "POST" /url "*/saml_login" }
https://techrevel.blog/2021/02/01/configuring-aem-for-single-sign-on-via-azure-ad/
We are using the quickstart jar on an Author instance. We do not have a Dispatcher installed. So unless I'm missing something, how do I clear up the 403 on /saml_login on Author? @aanchal-sikka
Hello @crich2784
Can you please enable the SAML trace logs and check if this behavior is observed specifically for GET requests? POST requests should be successful. saml_login can only address POST requests. GET would throw 403.
If yes, the GET requests need to be blocked from reaching AEM. In the blog, its controlled via dispatcher sitting in front on author.
Ok, I had a call with Adobe support and I think we figured it out.
The /saml_login was getting a 403 because it was not contained within the authenticated path.
For example, if my SAML authentication path is /aem - I would need to configure /aem/saml_login as the reply URL. This make the saml_login within the authenticated path of /aem.
Once this change was made, I was able to get passed the 403 error, but then we had permissions issue so, /aem/start.html would not load. I had to add the correct permissions to the group "AzureUsers" in order for the authenticated user to see AEM.
All is good now. Thank you for your help.
hi @crich2784
Can you also check the below two AEM configs that allows POST
add you allowed origin here
This one also to make sure there is no blocking of post at the AEM level.
One more thing I observed from your deflated SAML response is the recipient is configured to an https domain ending with.com . Not very sure it will have an impact. In our case we have the respective request domain configured there.
The recipient in the XML is the Reply URL in Azure. Not sure why .com would matter.
This is my referrer. I have tried wiht Allow Empty unchecked and add POST to filter methods. No luck there either.
Here is the Cross-Origin Resource Sharing policy.
I think I have all this correct.
Views
Likes
Replies
Views
Likes
Replies