Level 4

Besvarat

[Urgent help needed] AutoCreate CRX users/ Add to groups for SAML handler does not work [AEM 6.1]

Forum|Forum|10 years ago
October 16, 2015
7 svar
3099 visningar

If i manually add the user and put the user in group then do a SAML with IDP it works and does syncrhonize properties, but if I have auto-create users and add to groups checked in SAML configuration, here is the error i get. I am guessing I am missing permission somewhere?

21.08.2015 11:00:30.000 *INFO* [pool-7-thread-3] com.adobe.granite.taskmanagement.impl.jcr.TaskArchiveService archiving tasks at: 'Fri Aug 21 11:00:30 EDT 2015'
21.08.2015 11:00:34.067 *INFO* [qtp301437638-159160] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
21.08.2015 11:00:34.954 *ERROR* [qtp301437638-159160] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:432)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:216)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl.perform(SessionImpl.java:140)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:432)
   at sun.reflect.GeneratedMethodAccessor34.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:483)
   at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:113)
   at com.sun.proxy.$Proxy8.save(Unknown Source)
   at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:650)
   at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
   at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
   at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
   at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
   at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
   at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
   at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
   at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
   at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
   at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
   at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
   at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
   at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
   at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)

Det här ämnet har stängts för svar.

Bästa svar av Sham_HC

Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also. As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket.

Kunal_Gaba_

Check that whether the user "authentication-service" has Modify/Create permissions on /home/users folder in CRX. You can check the permissions on this page localhost:4502/useradmin

Sham_HC

Level 10

If the group attribute passed from saml Or default is configured as administrator then it fails. Issue is logged internally & should be fixed as part of sp1. Either send non admin group or file a support request to get an hotfix for you.

C

chetanvajre2014Skribent

Level 4

Thanks Kunal. it does have permissions

Do we still need to import the cert at /etc/key/saml for 6.1. As far as I know all I had to do is go to security, users, manage trust store and import it there. Do i still need to use the curl command and import it into /etc/key/saml?

Kunal_Gaba_

Navigate to the following path /etc/key/saml/idp_cert in crxde to verfiy whether your keys exist in CRX or not. If not then you can try importing them using the curl command.

Also, check whether you have the following service mapping node for SAML in the repository and the user.mapping property is set to "com.adobe.granite.auth.saml=authentication-service"-

/libs/system/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-com.adobe.granite.auth.saml

C

chetanvajre2014Skribent

Level 4

Sham

So I configured at the URL / to use SAML, it goes into an infinite loop with above error

I created a content/imf/en structure. Then I configured SAML to kick in for /content/imf/en. If I go to that URL, it does sign me in but throws to /saml_login page with 403 access denied error.

If I remove auto-create groups and auto-create users, and manually add say my login to a pre-defined group, it works perfect. But we want the auto-create to work as expected.

Sham_HCSvar

Level 10

Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also. As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket.

D

dbdigital04

Level 2

Hi Chetan and Sham,

I am facing the exactly same problem. May I know what did you do to resolve the issue.

I have configured the following path in SAML config

/saml_login

/content/myApp

Auto create is true

Group Memebership is Blank

Default Group is "TestGroup" (Exist in AEM)

If I create the user in AEM works fine. ---> We have a problem over here, if the user exist in IDP and doesn't exist in AEM then requests go into infinite loop. Is there a solution to this problem?

If user doesn't exist in AEM (Auto Create true) then goes into infinite loop with error

15.12.2015 12:17:54.038 *ERROR* [qtp1873795275-244] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)

Thanks and Regards,

Deepak

Anmäl dig

Logga in med socialt nätverk

Logga in på communityn.

Logga in med socialt nätverk

Söker efter virus i filen

Denna fil kan inte laddas ned