Wednesday, May 30, 2018

Exceptions/Issues while configuring SAML Authentication Handler - Adobe Experience Manager(AEM)

Exceptions/Issues while configuring SAML Authentication Handler - Adobe Experience Manager(AEM)


This post explains the Exceptions/Issues received while configuring the SAML authentication handler and the fixes to overcome the issues.

Issue1:


Problem accessing /saml_login. Reason:
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store.

uninitialized-system-trust-store


14.05.2018 11:24:39.988 *WARN* [qtp1134377453-62] org.eclipse.jetty.servlet.ServletHandler /saml_login
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store.
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:151)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:577)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)


Problem accessing /saml_login. Reason:
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised key store for user authentication-service

Uninitialised-Keystore-authentication-service



9.05.2018 21:06:04.890 *WARN* [qtp1892229876-64] org.eclipse.jetty.servlet.ServletHandler /saml_login
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised key store for user authentication-service
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetKeyStore(KeyStoreServiceImpl.java:428)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:122)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:116)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:578)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)


This issue occurs if the Keystore and Truststore are not initialized.

Follow the below steps to configure the Keystore and Truststore

Login to user admin through touch UI URL - http://localhost:4502/libs/granite/security/content/useradmin.html

Search for authentication-service and open it

authentication-service

Click on "Create KeyStore"
Enter the password and click OK

aem-key-store


Click on "Create TrustStore"
Enter the password and click OK

aem-trust-store

Issue2:

saml-authentication-handler-forbidden


14.05.2018 11:33:09.169 *INFO* [qtp1134377453-180] org.apache.sling.security.impl.ReferrerFilter Rejected empty referrer header for POST request to /saml_login

This issue will occur if the empty referrer is not allowed for the IDP host.

Follow the below steps to fix the issue

Login to config Manager - http://localhost:4502/system/console/configMgr

Locate "Apache Sling Referrer Filter"

Select "Allow Empty" and enter DP host in "Allow Hosts"

apache-sling-referrer-filter

Issue3:



14.05.2018 11:47:58.087 *ERROR* [qtp1134377453-189] com.adobe.granite.auth.saml.binding.PostBinding Unable to receive SAML message. Could not read IdP certificate from truststore.

This issue occurs if the valid certificate is not present in the Trust Store and the latest certificate alias is not configured in Adobe Granite SAML 2.0 Authentication Handler. The browser will be in an infinite loop loading the URL for this issue

Follow the below steps to fix the issue.

Login to user admin through touch UI URL - http://localhost:4502/libs/granite/security/content/useradmin.html

Search for authentication-service and open it

Click on "Manage TrustStore"

Click on "Select Certificate File" and select the IDP public certificate

aem-trust-store-certificate

Click on Submit, this will upload the certificate to Trust Store

aem-trust-store-certificate


Copy the Alias and configure it in "Adobe Granite SAML 2.0 Authentication Handler"

cert_alias_saml_authentication-handler

Issue4:


14.05.2018 14:49:26.832 *INFO* [qtp1134377453-62] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.

This issue occurs if the saml:Audience value in SAML response is different than the Service Provider Entity ID value configured in the Adobe Granite SAML 2.0 Authentication Handler. The browser will be in an infinite loop loading the URL for this issue

As resolution sync the values between IDP and Adobe Granite SAML 2.0 Authentication Handler

The saml:Audience can be referred in SAML response, make sure the values are exactly matching.

<saml:Audience>http://xxxxxxxxxxxxxxx:4502</saml:Audience>


Issue5:

aem-crypto-exception-canot-convert-data

java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

11.05.2018 15:31:24.895 *ERROR* [qtp1387580811-134467] org.apache.felix.http.jetty Exception while processing request to /favicon.ico (java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data)
java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetKeyStore(KeyStoreServiceImpl.java:428)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:125)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:119)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.requestCredentials(SamlAuthenticationHandler.java:479)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doRequestCredentials(AuthenticationHandlerHolder.java:83)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.requestCredentials(AbstractAuthenticationHandlerHolder.java:83)
at org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:542)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doLogin(SlingAuthenticator.java:1080)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAnonymousResolver(SlingAuthenticator.java:892)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:492)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)
... 34 common frames omitted
Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text
at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)
at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)
... 35 common frames omitted
Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.
at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)
at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)
at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)
at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)
... 36 common frames omitted


This issue occurs if the /etc/key folder is deleted by mistake or /etc/key folder is migrated from a different server.

Please note this issue will not occur immediately after deleting the /etc/key folder or uploading, the issue occurs only after the server is restarted post deletion or uploading of /etc/key .

Follow the below steps to fix the issue:

Create the /etc/key package from backup or from the publisher and upload it

aem-package

aem-package



Restart the server

Follow the below additional steps if the issue is not resolved

Login to crxde and delete the following nodes - '/etc/truststore/truststore.p12' and '/home/users/system/authentication-service/keystore/store.p12'.

aem-trust-store

aem-key-store


Click Save All.

Follow the steps specified in Issue1 and Issue3 to initiate Trust/Key Store and to configure the IDP certificate.

Issue6:

Status 422 Unprocessable Entity/invalid payload


This issue will happen while the content paths(e.g /content/wknd/) other than root(/) is configured in the SAML handler but the reply URL in the IDP provider is enables as /saml_login instead of /content/wknd/saml_login


The reply URL should be configured in IDP based on the path specified in the SAM authentication handler - append /saml_login on the content path enabled in the SAML Auth handler.

Issue7:

Login struck at /saml_login while posting the SAM response back from IDP

This issue happens when the CORS policy is not enabled to allow POST requests from IDP origin.








1 comment: