Documentation

SSO fails after upgrading AEM from SP18 to SP22

Last update: Mon Sep 22 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

After upgrading Adobe Experience Manager (AEM) from Service Pack 18 to Service Pack 22, Single Sign-On (SSO) stops working. The logs show authentication errors even though the IMS OAuth server successfully generates a token. To fix this, update the OSGi configuration by removing the unsupported session scope and verify IMS settings.

Description description

Environment

  • Product: Adobe Experience Manager (AEM) Managed Services
  • Version: 6.5, Service Pack (SP) 22

Issue/Symptoms

After upgrading AEM from SP 18 to SP 22, Single Sign-On (SSO) functionality stopped working. The following error messages are observed in the logs:

  • Failed to retrieve user identification; cannot authenticate
  • j_reason param value ‘Authentication Failed’ cannot be mapped to a valid reason message

Token response is successfully generated by the IMS OAuth server but fails during user identification retrieval.

Resolution resolution

To fix this issue:

  1. Review and update OSGi configuration:

    • Go to /system/console/configMgr.
    • Find the configuration for com.adobe.granite.auth.oauth.provider or its IMS-specific variant.
    • Check the scope property.
    • If session is included, remove it. The session scope is typically used to indicate that the client requires access to session-related data. This can include user-specific data such as authentication tokens, user preferences, or other data that should persist across interactions within the same session. Hence, it’s recommended to remove it.
    • Save the updated configuration.

  2. Verify IMS settings:

    • Ensure that instance ID, owning entity, and service code are correctly configured.
    • Confirm alignment with the product profile in AEM SP22.

  3. Understand the scope adjustment:

    • The session scope can cause issues if unsupported or unnecessary.
    • Removing unsupported scopes ensures compatibility with the OAuth provider.
    • Simplified scope settings reduce misconfigurations and improve performance.

  4. Test and validate:

    • Test SSO functionality thoroughly after making changes.
    • Perform sanity tests to verify basic SSO operations like login, token exchange, and user identification.
    • Run regression tests to ensure that existing features such as user session persistence, role-based access, and integration with other AEM modules continue to work as expected.
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f