How to investigate SAML related issues

This video walks through the steps to investigate SAML related issues in AEM.

Hello everyone. In this video, we will discuss the steps to investigate SAML related issues in Adobe Experience Manager. We may encounter various issues while accessing AEM with the single sign-on feature implemented via SAML, like the user is not redirected to expected landing page, or maybe getting stuck in an infinite loop. In such cases, we will need to diagnose the problem. There are some collaterals that need to be captured for this purpose, which include: error logs, SAML request and response, SAML configuration, Apache referrer filter configuration, SAML debug logs, and the HAR file. Error logs can be found in the Logs folder of CRX-quickstart directory, where the AEM instance is installed. To capture SAML request and response XML, the first step is to enable a SAML tracer in the browser. We can choose any tool available online to capture SAML request and response, like SAML Tracer or SAML Message Decoder. Here we are using the SAML Message Decoder plugin available on Google Chrome Web Store. Once the plugin is added, click on the SAML Tracer icon on the upper right add-in menu for the respective browser. This will open the SAML Tracer dialog box. Now, try to sign into AEM using your federated ID login credentials. The SAML Tracer dialog box records and displays details as shown. After the issue is encountered, copy the SAML request and response trace for further analysis. To capture SAML configuration, visit AEM Web Console page and select Configuration from the OSGi dropdown menu. In this page, search for SAML 2.0 Authentication Handler. This will give details about the SAML configuration. In the same page, now search for Apache Sling Referrer Filter to get details about its configuration. Now we need to capture the SAML Debug Logs. Visit AEM Web Console Log Support page, and click on Add new Logger. Set Log Level as DEBUG, and enter the name required for the log file in the Log File field. Here we have named the file as saml.log. Set the API name in Logger field as shown. Once done, click on Save. This log file will be available inside the Log folder with the given name. To capture HAR file, go to Developer tools in the browser, and select Network tab from the panel. Now we need to start recording the logs, and replicate the issue we had encountered that does accessing the AEM with SSO feature. For a detailed walkthrough on capturing HAR file, refer to the video titled: “How to Capture HAR HTTP Archive Logs”, available on Adobe Experience League portal. All these artifacts and logs can also be shared with the AEM Support Team for further assistance. Thank you for watching this video. -