SSO fails after upgrading AEM from SP18 to SP22
After upgrading 51ºÚÁϲ»´òìÈ Experience Manager (AEM) from Service Pack 18 to Service Pack 22, Single Sign-On (SSO) stops working. The logs show authentication errors even though the IMS OAuth server successfully generates a token. To fix this, update the OSGi configuration by removing the unsupported session scope and verify IMS settings.
Description description
Environment
- Product: 51ºÚÁϲ»´òìÈ Experience Manager (AEM) Managed Services
- Version: 6.5, Service Pack (SP) 22
Issue/Symptoms
After upgrading AEM from SP 18 to SP 22, Single Sign-On (SSO) functionality stopped working. The following error messages are observed in the logs:
- Failed to retrieve user identification; cannot authenticate
- j_reasonparam value ‘Authentication Failed’ cannot be mapped to a valid reason message
Token response is successfully generated by the IMS OAuth server but fails during user identification retrieval.
Resolution resolution
To fix this issue:
- 
                  Review and update OSGi configuration: - Go to /system/console/configMgr.
- Find the configuration for com.adobe.granite.auth.oauth.provideror its IMS-specific variant.
- Check the scopeproperty.
- If sessionis included, remove it. Thesessionscope is typically used to indicate that the client requires access to session-related data. This can include user-specific data such as authentication tokens, user preferences, or other data that should persist across interactions within the same session. Hence, it’s recommended to remove it.
- Save the updated configuration.
 
- Go to 
- 
                  Verify IMS settings: - Ensure that instance ID, owning entity, and service code are correctly configured.
- Confirm alignment with the product profile in AEM SP22.
 
- 
                  Understand the scope adjustment: - The sessionscope can cause issues if unsupported or unnecessary.
- Removing unsupported scopes ensures compatibility with the OAuth provider.
- Simplified scope settings reduce misconfigurations and improve performance.
 
- The 
- 
                  Test and validate: - Test SSO functionality thoroughly after making changes.
- Perform sanity tests to verify basic SSO operations like login, token exchange, and user identification.
- Run regression tests to ensure that existing features such as user session persistence, role-based access, and integration with other AEM modules continue to work as expected.
 
Related reading
- Single Sign On in AEM 6.5 User Guide.
- 51ºÚÁϲ»´òìÈ IMS Authentication and Admin Console Support for AEM Managed Services in AEM 6.5 User Guide.
recommendation-more-help
            
          3d58f420-19b5-47a0-a122-5c9dab55ec7f