Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

[Urgent help needed] AutoCreate CRX users/ Add to groups for SAML handler does not work [AEM 6.1]

chetanvajre2014
Level 5
Level 5

If i manually add the user and put the user in group then do a SAML with IDP it works and does syncrhonize properties, but if I have auto-create users and add to groups checked in SAML configuration, here is the error i get. I am guessing I am missing permission somewhere?

 

21.08.2015 11:00:30.000 *INFO* [pool-7-thread-3] com.adobe.granite.taskmanagement.impl.jcr.TaskArchiveService archiving tasks at: 'Fri Aug 21 11:00:30 EDT 2015'
21.08.2015 11:00:34.067 *INFO* [qtp301437638-159160] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
21.08.2015 11:00:34.954 *ERROR* [qtp301437638-159160] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied

    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:432)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:216)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.perform(SessionImpl.java:140)
    at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:432)
    at sun.reflect.GeneratedMethodAccessor34.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:113)
    at com.sun.proxy.$Proxy8.save(Unknown Source)
    at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:650)
    at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
    at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
    at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
    at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
    at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
    at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
    at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
    at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
    at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
    at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
    at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
    at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)
   

1 Accepted Solution
Sham_HC
Correct answer by
Level 10
Level 10

Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also.  As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket. 

View solution in original post

0 Replies
kunal23
Level 10
Level 10

Check that whether the user "authentication-service" has Modify/Create permissions on /home/users folder in CRX. You can check the permissions on this page localhost:4502/useradmin

Sham_HC
Level 10
Level 10

If the group attribute passed from saml Or default is configured as administrator then it fails. Issue is logged internally & should be fixed as part of sp1.  Either send non admin group or file a support request to get an hotfix for you.

chetanvajre2014
Level 5
Level 5

Thanks Kunal. it does have permissions

Do we still need to import the cert at /etc/key/saml for 6.1. As far as I know all I had to do is go to security, users, manage trust store and import it there. Do i still need to use the curl command and import it into /etc/key/saml?

kunal23
Level 10
Level 10

Navigate to  the following path /etc/key/saml/idp_cert in crxde to verfiy whether your keys exist in CRX or not. If not then you can try importing them using the curl command.

Also, check whether you have the following service mapping node for SAML in the repository and the user.mapping property is set to "com.adobe.granite.auth.saml=authentication-service"- 

/libs/system/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-com.adobe.granite.auth.saml

chetanvajre2014
Level 5
Level 5

Sham

So I configured at the URL / to use SAML, it goes into an infinite loop with above error

I created a content/imf/en structure. Then I configured SAML to kick in for /content/imf/en. If I go to that URL, it does sign me in but throws to /saml_login page with 403 access denied error.

If I remove auto-create groups and auto-create users, and manually add say my login to a pre-defined group, it works perfect. But we want the auto-create to work as expected.

Sham_HC
Correct answer by
Level 10
Level 10

Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also.  As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket. 

View solution in original post

dbdigital04
Level 2
Level 2

Hi Chetan and Sham,

I am facing the exactly same problem. May I know what did you do to resolve the issue. 

I have configured the following path in SAML config

/saml_login

/content/myApp

Auto create is true

Group Memebership is Blank

Default Group is "TestGroup" (Exist in AEM)

If I create the user in AEM works fine. ---> We have a problem over here, if the user exist in IDP and doesn't exist in AEM then requests go into infinite loop. Is there a solution to this problem?

If user doesn't exist in AEM (Auto Create true) then goes into infinite loop with error 

15.12.2015 12:17:54.038 *ERROR* [qtp1873795275-244] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
    at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
    at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)

Thanks and Regards,

Deepak