SAML Logout | Community
Skip to main content
S
Stanleyor
Level 3
June 19, 2020
Solved

SAML Logout

  • June 19, 2020
  • 3 replies
  • 2183 views

I'm working on SAML 2.0 integration on totally clean 6.4.8.1 instance.

Login works properly. However, logout fails with NPE. In logs I see:

19.06.2020 11:32:21.061 *ERROR* [0:0:0:0:0:0:0:1 [1592555541049] GET /system/sling/logout.html HTTP/1.1] com.adobe.granite.auth.saml.SamlAuthenticationHandler Unable to perform SAML logout.
java.lang.NullPointerException: null
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.createLogoutRequest(SamlAuthenticationHandler.java:916) [com.adobe.granite.auth.saml:1.0.10.CQ640-B0012]
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.dropCredentials(SamlAuthenticationHandler.java:663) [com.adobe.granite.auth.saml:1.0.10.CQ640-B0012]
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doDropCredentials(AuthenticationHandlerHolder.java:95) [org.apache.sling.auth.core:1.4.2]
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.dropCredentials(AbstractAuthenticationHandlerHolder.java:103) [org.apache.sling.auth.core:1.4.2]

........................................................................

In settings dropCredentials set to true and logoutUrl is filled with KeyCloak logout URL.

According to my investigation, the handler's code might try to get NameQualifier and SpNameQualifier. SAML 2.0 specification defines these attributes as optional. Also, these attributes are not present in the IdP response.

I'm confused since I have just two logout-related configuration options and there is nothing I can do more.

Any ideas how to resolve the issue?

Thanks

 

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by joerghoh

    Hi,

    that looks really strange; when I look at the code that mentioned line it makes me think that the request doesn't have an assertion at all (unfortunately there a number of chances where a NPE can occur).

    Please raise a request with support and report your problem (at best including the relevant details about the SAML assertion attached to the request).

     

    Jörg

    3 replies

    joerghoh
    Adobe Employee
    joerghohAdobe EmployeeAccepted solution
    Adobe Employee
    June 25, 2020

    Hi,

    that looks really strange; when I look at the code that mentioned line it makes me think that the request doesn't have an assertion at all (unfortunately there a number of chances where a NPE can occur).

    Please raise a request with support and report your problem (at best including the relevant details about the SAML assertion attached to the request).

     

    Jörg

      akhoury
      Adobe Employee
      akhouryAdobe Employee
      Adobe Employee
      June 25, 2020

      As @joerghoh said, please file a support ticket.

       

      The saml response XML gets stored in encrypted form under the user node.  That xml isn't complying with the xmil structure that the createLogoutRequest method expects.  So we might need to do some debugging there.

        S
        StanleyorAuthor
        Level 3
        July 2, 2020

        Thank you @joerghoh  and @akhoury for your answers, information and ideas.

          Terms & ConditionsAccessibility statement

          Loading footer...