Configuring Multiple SAML configs in Publisher (audienceRestrictions violated error) | Community
Skip to main content
A
Antony6790
New Participant
March 26, 2021
Solved

Configuring Multiple SAML configs in Publisher (audienceRestrictions violated error)

  • March 26, 2021
  • 3 replies
  • 1647 views

HI all,

 

We are configuring 2 SAML configs for 2 sites in publisher. One SAML config is for SiteMinder and other SAML config is for Ping Identity.

 

In each config, I have added content paths for each site, same ranking, updated IDP url's (SM and Ping IDP Url's) with separate Entity ID's, default redirect paths and ACS URL( ex: https://abc.com/saml_login, https://xyz.com/saml_login). 

 

SSO is not working for 1 site (goes infinite loop) if both SAML configs are enabled. I'm seeing below error in SAML trace. However if I disable one SAML config, then no issues with SSO login.

 

26.03.2021 04:08:37.400 *DEBUG* [qtp1786311869-8128] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

 

Any inputs to resolve this issue with multiple SAML configs?

 

Thanks.

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

3 replies

A
Antony6790Author
New Participant
April 8, 2021

Issue resolved by providing host name (https://abc.com/) in the path field instead of content path.

Thanks.

    kautuk_sahni
    kautuk_sahni
    Employee
    April 8, 2021
    @antony6790, Thank you for sharing the solution/fix with community. Great to have phenomenal SMEs like you. Looking forward to your more contribution in the AEM Community.
    Kautuk Sahni
    U
    user05162
    Employee
    March 29, 2021

    The issue seems to be with the Path and Assertion consumer URL:

     

    if path: "/content/sitea" then //content/sitea/saml_login should be the ACS endpoint.

    If the path: "/content/siteb" then /content/siteb/saml_login should be the ACS endpoint.

      A
      Antony6790Author
      New Participant
      March 29, 2021

      Tried by with paths in ACS URL, but we are seeing infinite redirects with a 404 error for /content/siteA path ..

       

      We have dispatcher rules for the site, if a request comes with /content/siteA path, it should translates this to /content/siteA/homepage.html. Not sure whether any dispatcher rules causing this infinite loop.

       

      Thanks

      Antony

      Rohit_Utreja
      Rohit_UtrejaAccepted solution
      New Participant
      March 26, 2021

      Hi @antony6790,

       

      Refer the following link for a similar kind of implementation.

      https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-configuration-for-multiple-websites-on-same-aem-6-1-sp2/qaq-p/254032

       

        Terms & ConditionsAccessibility statement

        Loading footer...