Exceptions/Issues while configuring SAML Authentication Handler - Adobe Experience Manager(AEM)
This post explains the Exceptions/Issues received while configuring the SAML authentication handler and the fixes to overcome the issues.
Issue1:
Problem accessing /saml_login. Reason:
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store.
14.05.2018 11:24:39.988 *WARN* [qtp1134377453-62] org.eclipse.jetty.servlet.ServletHandler /saml_login
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised system trust store.
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:151)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:577)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)
Problem accessing /saml_login. Reason:
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised key store for user authentication-service
9.05.2018 21:06:04.890 *WARN* [qtp1892229876-64] org.eclipse.jetty.servlet.ServletHandler /saml_login
com.adobe.granite.keystore.KeyStoreNotInitialisedException: Uninitialised key store for user authentication-service
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetKeyStore(KeyStoreServiceImpl.java:428)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:122)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:116)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:578)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:348)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:709)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:461)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:446)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:339)
at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:334)
at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:297)
at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:93)
at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:50)
at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:31)
at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:129)
This issue occurs if the Keystore and Truststore are not initialized.
Follow the below steps to configure the Keystore and Truststore
Login to user admin through touch UI URL - http://localhost:4502/libs/granite/security/content/useradmin.html
Search for authentication-service and open it
Click on "Create KeyStore"
Enter the password and click OK
Click on "Create TrustStore"
Enter the password and click OK
Issue2:
14.05.2018 11:33:09.169 *INFO* [qtp1134377453-180] org.apache.sling.security.impl.ReferrerFilter Rejected empty referrer header for POST request to /saml_login
This issue will occur if the empty referrer is not allowed for the IDP host.
Follow the below steps to fix the issue
Login to config Manager - http://localhost:4502/system/console/configMgr
Locate "Apache Sling Referrer Filter"
Select "Allow Empty" and enter DP host in "Allow Hosts"
Issue3:
14.05.2018 11:47:58.087 *ERROR* [qtp1134377453-189] com.adobe.granite.auth.saml.binding.PostBinding Unable to receive SAML message. Could not read IdP certificate from truststore.
This issue occurs if the valid certificate is not present in the Trust Store and the latest certificate alias is not configured in Adobe Granite SAML 2.0 Authentication Handler. The browser will be in an infinite loop loading the URL for this issue
Follow the below steps to fix the issue.
Login to user admin through touch UI URL - http://localhost:4502/libs/granite/security/content/useradmin.html
Search for authentication-service and open it
Click on "Manage TrustStore"
Click on "Select Certificate File" and select the IDP public certificate
Click on Submit, this will upload the certificate to Trust Store
Copy the Alias and configure it in "Adobe Granite SAML 2.0 Authentication Handler"
Issue4:
14.05.2018 14:49:26.832 *INFO* [qtp1134377453-62] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
This issue occurs if the saml:Audience value in SAML response is different than the Service Provider Entity ID value configured in the Adobe Granite SAML 2.0 Authentication Handler. The browser will be in an infinite loop loading the URL for this issue
As resolution sync the values between IDP and Adobe Granite SAML 2.0 Authentication Handler
The saml:Audience can be referred in SAML response, make sure the values are exactly matching.
<saml:Audience>http://xxxxxxxxxxxxxxx:4502</saml:Audience>
Issue5:
java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
11.05.2018 15:31:24.895 *ERROR* [qtp1387580811-134467] org.apache.felix.http.jetty Exception while processing request to /favicon.ico (java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data)
java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetKeyStore(KeyStoreServiceImpl.java:428)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:125)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getKeyStore(KeyStoreServiceImpl.java:119)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.requestCredentials(SamlAuthenticationHandler.java:479)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doRequestCredentials(AuthenticationHandlerHolder.java:83)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.requestCredentials(AbstractAuthenticationHandlerHolder.java:83)
at org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:542)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doLogin(SlingAuthenticator.java:1080)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAnonymousResolver(SlingAuthenticator.java:892)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:492)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)
at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)
... 34 common frames omitted
Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text
at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)
at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)
... 35 common frames omitted
Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.
at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)
at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)
at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)
at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)
... 36 common frames omitted
This issue occurs if the /etc/key folder is deleted by mistake or /etc/key folder is migrated from a different server.
Please note this issue will not occur immediately after deleting the /etc/key folder or uploading, the issue occurs only after the server is restarted post deletion or uploading of /etc/key .
Follow the below steps to fix the issue:
Create the /etc/key package from backup or from the publisher and upload it
Restart the server
Follow the below additional steps if the issue is not resolved
Login to crxde and delete the following nodes - '/etc/truststore/truststore.p12' and '/home/users/system/authentication-service/keystore/store.p12'.
Click Save All.
Follow the steps specified in Issue1 and Issue3 to initiate Trust/Key Store and to configure the IDP certificate.
Issue6:
Status 422 Unprocessable Entity/invalid payload
This issue will happen while the content paths(e.g /content/wknd/) other than root(/) is configured in the SAML handler but the reply URL in the IDP provider is enables as /saml_login instead of /content/wknd/saml_login
The reply URL should be configured in IDP based on the path specified in the SAM authentication handler - append /saml_login on the content path enabled in the SAML Auth handler.
Issue7:
Login struck at /saml_login while posting the SAM response back from IDP
This issue happens when the CORS policy is not enabled to allow POST requests from IDP origin.
Allow IDP origin through "Adobe Granite Cross-Origin Resource Sharing Policy"
This comment has been removed by the author.
ReplyDelete