How to troubleshoot SAML related issues in AEM

Objective

How we can troubleshoot SAML related issues with AEM ? What information would be required to troubleshoot ?

Steps

Infinite loop Issue:

  • Check if ds:signature is part of SAML assertion > If not, This is to be done on IDP end and check the checkbox for signed Assertion
  • Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
  • Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
  • Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
  • Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec. 
  • Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox

Check if SAML Certificate is in proper format:

  • Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
  • This can be then used to install in AEM truststore and match certificate details with IDP.

Encryption:

  • First always complete SAML setup without encryption. When this is done then enable encryption. Using this way it is easy to debug the issue

Dispatcher:

  • Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.

    /0100 { /type "allow" /method "POST" /url "*/saml_login" }
  • Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format
    <<<<<< Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure" >>>>>

Invalid Assertion:

com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request
  • Issue could be with certificate stored in the truststore. Solution here could be to delete and re-upload the new idp_cert and check the use-case.
  • If you are not encypting the SAML response, you can ignore "Private key of SP not provided: Cannot sign Authn request" error.

Cannot Retrieve Private Key:

[com.adobe.granite.security.user.internal.servlets.KeyStoreManagingServlet,1121, [javax.servlet.Servlet]] ServiceEvent REGISTERED
saml.log:27.01.2019 14:16:13.642 *ERROR* [qtp275633701-179] com.adobe.granite.auth.saml.SamlAuthenticationHandler KeyStore uninitialized. Cannot retrieve private key to decrypt assertions.
  • This error means, IDP has encrypted the assertionand there is no private key to decrypt the response. If you want to encrypt the response, you need to upload a valid private key in the AEM keystore.

Information to provide when raising a SAML related Support ticket:

  • SAML Request
  • SAML Response 
  • SAML configuration
  • DEBUG logs for SAML (com.adobe.granite.auth.saml)
  • Error.log
  • HAR[1] file to extract SAML Request/Response

[1]https://help.tenderapp.com/kb/troubleshooting-your-tender-site/generating-an-har-file

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy