Troubleshooting SAML related issues in AEM
The article explains how to troubleshoot SAML (Security Assertion Markup Language) issues with AEM. It addresses the infinite loop issue, invalid assertion issue, among others and measures to resolve them.
Description description
Environment
Experience Manager
Issue/Symptoms
How can we troubleshoot Security Assertion Markup Language (SAML) related issues with Adobe Experience Manager (AEM)?
Resolution resolution
Infinite loop Issue:
- Check if ds:signature is part of SAML assertion >If not, this is to be done on IDP end and check the checkbox for signed Assertion
- Check for nameId format in SAML response, the format should exactly match the nameId Policy format as configured in SAML Config
- Check for SAML AudienceRestriction in SAML response, the value of this tag should exactly match the entity ID in SAML config
- Check for saml2: conditions (NotBefore & NotOnOrAfter), Server is not in sync with ntp server. Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
- Check if idp do not have assertion signed. Ask idp team that response is signed, and the assertion needs to be signed as per saml spec.
- Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox
Check if SAML Certificate is in proper format:
- Fetch the signature from SAML response and correct the certificate i.e., after 65th line, press enter and so on.
- This can be then used to install in AEM truststore and match certificate details with IDP.
Encryption:
- First always complete SAML setup without encryption. When this is done then enable encryption. Using this way, it is easy to debug the issue
Dispatcher:
- 
                  Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login. /0100 { /type “allow” /method “POST” /url “*/saml_login” } 
- 
                  Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format <<<<<<Header always edit Set-Cookie (.*) “$1; HTTPOnly; Secure”>>>>>
Invalid Assertion:
2
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: Signature invalid.``com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request- Issue could be with certificate stored in the truststore. Solution here could be to delete and re-upload the new idp_cert and check the use-case.
- If you are not encypting the SAML response, you can ignore “Private key of SP not provided: Cannot sign Authn request” error.
Cannot Retrieve Private Key:
2
[ com.adobe.granite.security.user.internal.servlets.KeyStoreManagingServlet,1121, [ javax.servlet.Servlet] ] ServiceEvent REGISTERED``saml.log:27.01.2019 14:16:13.642 *ERROR* [ qtp275633701-179] com.adobe.granite.auth.saml.SamlAuthenticationHandler KeyStore uninitialized. Cannot retrieve private key to decrypt assertions.- This error means, IDP has encrypted the assertion and there is no private key to decrypt the response. If you want to encrypt the response, you need to upload a valid private key in the AEM keystore.
Information to provide when raising a SAML related Support ticket:
- SAML Request
- SAML Response
- SAML configuration
- DEBUG logs for SAML (com.adobe.granite.auth.saml)
- Error.log
- HAR[1]file to extract SAML Request/Response