Adobe Experience Manager Sites & More

chetanvajre2014 · 10/15/15

If i manually add the user and put the user in group then do a SAML with IDP it works and does syncrhonize properties, but if I have auto-create users and add to groups checked in SAML configuration, here is the error i get. I am guessing I am missing permission somewhere?

21.08.2015 11:00:30.000 *INFO* [pool-7-thread-3] com.adobe.granite.taskmanagement.impl.jcr.TaskArchiveService archiving tasks at: 'Fri Aug 21 11:00:30 EDT 2015'
21.08.2015 11:00:34.067 *INFO* [qtp301437638-159160] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
21.08.2015 11:00:34.954 *ERROR* [qtp301437638-159160] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:432)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:216)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl.perform(SessionImpl.java:140)
   at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:432)
   at sun.reflect.GeneratedMethodAccessor34.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:483)
   at org.apache.sling.jcr.base.SessionProxyHandler$SessionProxyInvocationHandler.invoke(SessionProxyHandler.java:113)
   at com.sun.proxy.$Proxy8.save(Unknown Source)
   at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:650)
   at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
   at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
   at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
   at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
   at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
   at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
   at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
   at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
   at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
   at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
   at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
   at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
   at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
   at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)

Sham_HC · 10/15/15

Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also. As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket.

View solution in original post

Kunal_Gaba_ · 10/15/15

Check that whether the user "authentication-service" has Modify/Create permissions on /home/users folder in CRX. You can check the permissions on this page localhost:4502/useradmin

Sham_HC · 10/15/15

If the group attribute passed from saml Or default is configured as administrator then it fails. Issue is logged internally & should be fixed as part of sp1. Either send non admin group or file a support request to get an hotfix for you.

chetanvajre2014 · 10/15/15

Thanks Kunal. it does have permissions

Do we still need to import the cert at /etc/key/saml for 6.1. As far as I know all I had to do is go to security, users, manage trust store and import it there. Do i still need to use the curl command and import it into /etc/key/saml?

Kunal_Gaba_ · 10/15/15

Navigate to the following path /etc/key/saml/idp_cert in crxde to verfiy whether your keys exist in CRX or not. If not then you can try importing them using the curl command.

Also, check whether you have the following service mapping node for SAML in the repository and the user.mapping property is set to "com.adobe.granite.auth.saml=authentication-service"-

/libs/system/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-com.adobe.granite.auth.saml

chetanvajre2014 · 10/15/15

Sham

So I configured at the URL / to use SAML, it goes into an infinite loop with above error

I created a content/imf/en structure. Then I configured SAML to kick in for /content/imf/en. If I go to that URL, it does sign me in but throws to /saml_login page with 403 access denied error.

If I remove auto-create groups and auto-create users, and manually add say my login to a pre-defined group, it works perfect. But we want the auto-create to work as expected.

Sham_HC · 10/15/15

Configuring on aem side for content/imf/en does not help & you need to configure the destination at idp also. As informed earlier if group passed from idp is adminstrator then there is a problem please file support ticket.

dbdigital04 · 12/14/15

Hi Chetan and Sham,

I am facing the exactly same problem. May I know what did you do to resolve the issue.

I have configured the following path in SAML config

/saml_login

/content/myApp

Auto create is true

Group Memebership is Blank

Default Group is "TestGroup" (Exist in AEM)

If I create the user in AEM works fine. ---> We have a problem over here, if the user exist in IDP and doesn't exist in AEM then requests go into infinite loop. Is there a solution to this problem?

If user doesn't exist in AEM (Auto Create true) then goes into infinite loop with error

15.12.2015 12:17:54.038 *ERROR* [qtp1873795275-244] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository.
javax.jcr.AccessDeniedException: OakAccess0000: Access denied
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)
   at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)
   at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594)

Thanks and Regards,

Deepak

Adobe Experience Manager Sites & More

[Urgent help needed] AutoCreate CRX users/ Add to groups for SAML handler does not work [AEM 6.1]

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe