SOLVED
SSO AEM, Azure - one last problem!
I have one last error!!! I have followed all the instructions in AEM documentation from what I can tell.
The redirect to login.microsoft.com works.
It redirects to /content/saml_login (also used /saml_login) - It returns a 403 error.
I inspected the payload and decode base 64 - looks pretty good!
I turned on TRACE for SAML in AEM
This is the response.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
I've unchecked and checked create User and add to groups (every combination) - no luck.
I've uploaded the certificate to Trust store several times and ensured password is good. Tried mapping to user in this last try. No luck.
Created a Truststore for admin user - still no luck (didn't upload a cert to admin user)
Unchecked "Use encryption" - no luck.
Please, please, please, I need some other ideas . . . thanks.
Below are strategic screenshots
1 Accepted Solution
Hello @crich2784
Please check for following as suggested in the blog post:
Issue-1: ‘Resource at ‘/saml_login’ not found: No resource found’ due to intermittent GET requests.
Resolution: The “saml_login” Servlet only handles POST requests. Hence, if you noticing intermittent GET requests, resulting in resource not found error, then deny GET request to “/saml_login” on Author.
Add the following filter rule to Dispatcher
/0207 { /type "deny" /method "GET" /url "*/saml_login" }
Issue-3: ‘Resource at ‘/saml_login’ not found: No resource found’ for POST requests.
Resolution: Assure that “POST” request isn’t blocked on dispatcher level. Following filter rule should be available
/0208 { /type "allow" /method "POST" /url "*/saml_login" }
https://techrevel.blog/2021/02/01/configuring-aem-for-single-sign-on-via-azure-ad/
Aanchal Sikka
Hello @crich2784
Can you please enable the SAML trace logs and check if this behavior is observed specifically for GET requests? POST requests should be successful. saml_login can only address POST requests. GET would throw 403.
If yes, the GET requests need to be blocked from reaching AEM. In the blog, its controlled via dispatcher sitting in front on author.
Aanchal Sikka
hi @crich2784
Can you also check the below two AEM configs that allows POST
add you allowed origin here
This one also to make sure there is no blocking of post at the AEM level.
One more thing I observed from your deflated SAML response is the recipient is configured to an https domain ending with.com . Not very sure it will have an impact. In our case we have the respective request domain configured there.
The recipient in the XML is the Reply URL in Azure. Not sure why .com would matter.
This is my referrer. I have tried wiht Allow Empty unchecked and add POST to filter methods. No luck there either.
Here is the Cross-Origin Resource Sharing policy.
I think I have all this correct.
Related Conversations
