SAML POST from Okta IDP to AEMaaCS failing | Community
Skip to main content
P
pardeepg4829047
New Participant
May 30, 2023
Solved

SAML POST from Okta IDP to AEMaaCS failing

  • May 30, 2023
  • 1 reply
  • 927 views

We are doing SAML integration with Okta IDP on AEM Publisher and after doing all the required configurations, getting forbidden 403 when IDP is redirecting to AEM.

[26/May/2023:10:25:20 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "GET /content/cisco-dcloud/us/en/home/secure.html" 200 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com
[26/May/2023:10:25:23 +0000] [I] [cm-p104909-e982861-aem-publish-7cfb4c8c6d-nmjt2] "POST /content/cisco-dcloud/saml_login" 403 7ms [publishfarm/0] [actionnone] publish-p104909-e982861.adobeaemcloud.com

 

We have allowed the POST request to */saml_login in filter rules on dispatcher as shown below but still getting 403 on POST request:

 

# Allow SAML HTTP POST to ../saml_login end points
/0110 { /type "allow" /method "POST" /url "*/saml_login" }

 

Please suggest what can be the issue.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by aanchal-sikka

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2-0.html?lang=en#configure-referrer-filter

 

requesting you to please cross-check if all steps are implemented.

1 reply

aanchal-sikka
aanchal-sikkaAccepted solution
New Participant
May 30, 2023

Hello @pardeepg4829047 

 

We also need to update "Referrer filter" and "CORS" settings.

https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/authentication/saml-2-0.html?lang=en#configure-referrer-filter

 

requesting you to please cross-check if all steps are implemented.

Aanchal Sikka
    P
    pardeepg4829047Author
    New Participant
    May 30, 2023

    @aanchal-sikka  - we have already done the required configurations for CORS and Referrer Filter configs as per below but still the issue persists.

     

    CORS:

    {

    "alloworigin": [

    "$[env:SAML_IDP_ORIGIN;default=http://www.okta.com]"

    ],

    "allowedpaths": [

    ".*/saml_login"

    ],

    "supportedmethods": [

    "POST"

    ]

    }

     

    Referrer Filter:

    {

    "allow.empty": true,

    "allow.hosts.regexp": "http://www.okta.com",

    "allow.hosts": [

    "$[env:SAML_IDP_REFERRER;default=http://www.okta.com]"

    ],

    "filter.methods": [

    "POST"

    ],

    "exclude.agents.regexp": [ ]

    }

      P
      pardeepg4829047Author
      New Participant
      June 1, 2023

      The issue was with incorrect host in referrer filter. We identified the correct referrer from SAML response.

       

      We changed the below entry to fix the issue:

       

      $[env:SAML_IDP_REFERRER;default=http://www.okta.com]

       

      to 

       

      $[env:SAML_IDP_REFERRER;default=int-id.cisco.com]

        Terms & ConditionsAccessibility statement

        Loading footer...