If i manually add the user and put the user in group then do a SAML with IDP it works and does syncrhonize properties, but if I have auto-create users and add to groups checked in SAML configuration, here is the error i get. I am guessing I am missing permission somewhere?
21.08.2015 11:00:30.000 *INFO* [pool-7-thread-3] com.adobe.granite.taskmanagement.impl.jcr.TaskArchiveService archiving tasks at: 'Fri Aug 21 11:00:30 EDT 2015'
21.08.2015 11:00:34.067 *INFO* [qtp301437638-159160] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
21.08.2015 11:00:34.954 *ERROR* [qtp301437638-159160] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461)
at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)
at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:432)
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:216)
at org.apache.jackrabbit.oak.jcr.session.SessionImpl.perform(SessionImpl.java:140)
at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:432)
at sun.reflect.GeneratedMethodAccessor34.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:113)
at com.sun.proxy.$Proxy8.save(Unknown Source)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:650)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)
Solved! Go to Solution.
Views
Replies
Total Likes
Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also. As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket.
Views
Replies
Total Likes
Check that whether the user "authentication-service" has Modify/Create permissions on /home/users folder in CRX. You can check the permissions on this page localhost:4502/useradmin
Views
Replies
Total Likes
If the group attribute passed from saml Or default is configured as administrator then it fails. Issue is logged internally & should be fixed as part of sp1. Either send non admin group or file a support request to get an hotfix for you.
Views
Replies
Total Likes
Thanks Kunal. it does have permissions
Do we still need to import the cert at /etc/key/saml for 6.1. As far as I know all I had to do is go to security, users, manage trust store and import it there. Do i still need to use the curl command and import it into /etc/key/saml?
Views
Replies
Total Likes
Navigate to the following path /etc/key/saml/idp_cert in crxde to verfiy whether your keys exist in CRX or not. If not then you can try importing them using the curl command.
Also, check whether you have the following service mapping node for SAML in the repository and the user.mapping property is set to "com.adobe.granite.auth.saml=authentication-service"-
/libs/system/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-com.adobe.granite.auth.saml
Views
Replies
Total Likes
Sham
So I configured at the URL / to use SAML, it goes into an infinite loop with above error
I created a content/imf/en structure. Then I configured SAML to kick in for /content/imf/en. If I go to that URL, it does sign me in but throws to /saml_login page with 403 access denied error.
If I remove auto-create groups and auto-create users, and manually add say my login to a pre-defined group, it works perfect. But we want the auto-create to work as expected.
Views
Replies
Total Likes
Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also. As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket.
Views
Replies
Total Likes
Hi Chetan and Sham,
I am facing the exactly same problem. May I know what did you do to resolve the issue.
I have configured the following path in SAML config
/saml_login
/content/myApp
Auto create is true
Group Memebership is Blank
Default Group is "TestGroup" (Exist in AEM)
If I create the user in AEM works fine. ---> We have a problem over here, if the user exist in IDP and doesn't exist in AEM then requests go into infinite loop. Is there a solution to this problem?
If user doesn't exist in AEM (Auto Create true) then goes into infinite loop with error
15.12.2015 12:17:54.038 *ERROR* [qtp1873795275-244] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)
Thanks and Regards,
Deepak
Views
Replies
Total Likes
Views
Likes
Replies