Expand my Community achievements bar.

Applications for the 2024-2025 Adobe Experience Manager Champion Program are open!
SOLVED

SSO AEM, Azure - one last problem!

Avatar

Level 7

 

I have one last error!!!  I have followed all the instructions in AEM documentation from what I can tell.

The redirect to login.microsoft.com works.  

It redirects to /content/saml_login (also used /saml_login) - It returns a 403 error.

I inspected the payload and decode base 64 - looks pretty good!

I turned on TRACE for SAML in AEM

This is the response.

com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.

I've unchecked and checked create User and add to groups (every combination) - no luck.

I've uploaded the certificate to Trust store several times and ensured password is good.  Tried mapping to user in this last try. No luck.

Created a Truststore for admin user - still no luck (didn't upload a cert to admin user)

Unchecked "Use encryption" - no luck.

Please, please, please, I need some other ideas . . . thanks.

 

Below are strategic screenshots

 

 

crich2784_0-1692561575244.png

crich2784_1-1692561753554.png

crich2784_2-1692562040429.png

 

 

 

 

 

1 Accepted Solution

Avatar

Correct answer by
Level 7

Ok, I had a call with Adobe support and I think we figured it out.

The /saml_login was getting a 403 because it was not contained within the authenticated path.

 

For example, if my SAML authentication path is /aem - I would need to configure /aem/saml_login as the reply URL.  This make the saml_login within the authenticated path of /aem.

 

Once this change was made, I was able to get passed the 403 error, but then we had permissions issue so, /aem/start.html would not load.  I had to add the correct permissions to the group "AzureUsers" in order for the authenticated user to see AEM.

 

All is good now.  Thank you for your help.

View solution in original post

6 Replies

Avatar

Community Advisor

Hello @crich2784 

 

Please check for following as suggested in the blog post:

 

Issue-1: ‘Resource at ‘/saml_login’ not found: No resource found’ due to intermittent GET requests.

Resolution: The “saml_login” Servlet only handles POST requests. Hence, if you noticing intermittent GET requests, resulting in resource not found error, then deny GET request to “/saml_login” on Author.

 

Add the following filter rule to Dispatcher

/0207 { /type "deny" /method "GET" /url "*/saml_login" }

 

Issue-3: ‘Resource at ‘/saml_login’ not found: No resource found’ for POST requests.

Resolution: Assure that “POST” request isn’t blocked on dispatcher level. Following filter rule should be available

/0208 { /type "allow" /method "POST" /url "*/saml_login" }

 

 

https://techrevel.blog/2021/02/01/configuring-aem-for-single-sign-on-via-azure-ad/


Aanchal Sikka

Avatar

Level 7

We are using the quickstart jar on an Author instance.  We do not have a Dispatcher installed.  So unless I'm missing something, how do I clear up the 403 on /saml_login on Author? @aanchal-sikka 

Avatar

Community Advisor

Hello @crich2784 

 

Can you please enable the SAML trace logs and check if this behavior is observed specifically for GET requests? POST requests should be successful. saml_login can only address POST requests. GET would throw 403.

 

If yes, the GET requests need to be blocked from reaching AEM. In the blog, its controlled via dispatcher sitting in front on author.

 

 


Aanchal Sikka

Avatar

Correct answer by
Level 7

Ok, I had a call with Adobe support and I think we figured it out.

The /saml_login was getting a 403 because it was not contained within the authenticated path.

 

For example, if my SAML authentication path is /aem - I would need to configure /aem/saml_login as the reply URL.  This make the saml_login within the authenticated path of /aem.

 

Once this change was made, I was able to get passed the 403 error, but then we had permissions issue so, /aem/start.html would not load.  I had to add the correct permissions to the group "AzureUsers" in order for the authenticated user to see AEM.

 

All is good now.  Thank you for your help.

Avatar

Level 8

hi @crich2784 

Can you also check the below two AEM configs that allows POST 

sherinregi_0-1692639811690.png

add you allowed origin here 

 

sherinregi_1-1692639837512.png

 

This one also to make sure there is no blocking of post at the AEM level.

 

One more thing  I observed from your deflated SAML response is the recipient is configured to an https domain ending with.com . Not very sure it will have an impact. In our case we have the respective request domain configured there.

 

Avatar

Level 7

The recipient in the XML is the Reply URL in Azure.  Not sure why .com would matter.

 

This is my referrer.  I have tried wiht Allow Empty unchecked and add POST to filter methods.  No luck there either.

crich2784_0-1692640868853.png

 

Here is the Cross-Origin Resource Sharing policy.  

crich2784_1-1692640923166.png

 

I think I have all this correct.