Configuring SAML authentication with Okta | AEM

Issue

When trying to integrate an Okta authentication with AEM SAML, you face the following issue:

11.10.2017 16:33:14.633 *DEBUG* [qtp830180711-278] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
11.10.2017 16:33:14.633 *INFO* [qtp830180711-278] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
11.10.2017 16:33:14.633 *INFO* [qtp830180711-278] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

Cause

The cause is a difference between the Login URL defined in Okta and the Service Provided Entity ID defined in SAML 2.0 Authentication handler. 

Both the values have to be aligned and the value returned by the IDP can be seen in the response like:

<saml2:Audience>http://localhost:4502/</saml2:Audience>

Resolution

Define the audience value returned in the SAML response to the Service Provider Entity ID in the AEM configuration and eventually add the trailing "/" character.

 Adobe

Získajte pomoc rýchlejšie a ľahšie

Nový užívateľ?

Adobe MAX 2024

Adobe MAX
Konferencia o kreativite

14. – 16. októbra Miami Beach a online

Adobe MAX

Konferencia o kreativite

14. – 16. októbra Miami Beach a online

Adobe MAX 2024

Adobe MAX
Konferencia o kreativite

14. – 16. októbra Miami Beach a online

Adobe MAX

Konferencia o kreativite

14. – 16. októbra Miami Beach a online