Adobe Experience Manager
On creating the SAML 2.0 configuration to enable SSO login on the production Author, you received an error message from AEM. This was after the Azure provider performed the login and retrieved the SAML token to perform the authentication on the AEM side.
The following error is received:
After verifying the SAML configuration, it was observed that whenever you try to login to AEM author, you receive the 403 error.
Error 403 usually appears if the Apache Sling Referrer Filter is not enabled. Upon checking the configuration for the Apache Sling Referrer Filter, it was found that the Allow empty option was not checked, and there was also no host added into Allow Hosts.
For the SAML login to work, the Identity Provider’s hostname needs to be added to the Apache Sling Referrer Filter OSGi configuration.
Therefore, check Allow Empty, and add the hosts that represent the IdP provider to Allow Hosts.
After completing these required steps, the login was successful.
Note: The IDP URL must be added to the Apache Sling Referrer Filter configuration without including the protocol, for example,
aem-sso-saml instead of