Expand my Community achievements bar.

SOLVED

AEM 6.4 SAML integration - Logout not working

Avatar

Level 4

Hello Guys, I am trying to implement SAML integration with AEM 6.4. I have followed most of the steps mentioned in the link https://helpx.adobe.com/experience-manager/using/aem63_saml.html.[1]  Below are the steps I did.

1.Created an SSOCircle account as mentioned in [1].

2.Configured KeyStore & Truststore as in [1]

3.Modified SAML 2.0 Handler and Referrer filter configuration as mentioned in [1]

4.Modified "Apache Sling Authentication Service" configuration to have  authentication for below paths

     +/content

     +/etc/designs

     +/libs/granite/oauth/content/authorization

5.Modified "Apache Sling Authentication Service" configuration to uncheck the checkbox against "Allow Anonymous Access"

6.Modified "Day CQ Root Mapping" configuration to point to my applcications home page.(/content/<myapps>/homepage.html)

7.Add a logout link to my page header <a href="https://forums.adobe.com/system/sling/logout">

When I access my page for first time, I was taken to the SSO Circle login page, I entered the credentials and was taken to my applications home page. On clicking logout , I was taken to the  SSO cirlce login page.

After that whenever I try to login again, it always takes me to /system/sling/logout and further to SSO circle logout page. (https://idp.ssocircle.com/sso/UI/Logout)

Can someone guide me what I am missing / What have I done wrong in integrating AEM with SAML.

My requirement is Whenever user clicks logout button, he should be taken back to IDP login page. He should be able to see my protected pages only after entering the credentials again .(Even clicking on browser back button , he should be taken to IDP login page).

Note: Please let me know if anymore details are required.

1 Accepted Solution

Avatar

Correct answer by
Employee

Sling logout works by calling dropCredentials() on all registered handlers *matching the request path*. See [1] for example implementation.

This means that the LOGIN-RESOURCE attribute needs to be set to a path registered by the respective handler (i.e. http://localhost:4502/system/sling/logout?resource=/content/geometrixx/en)

If the resource parameter is not set, then / is assumed, and only root-level authentication handlers will handle the logout.

See (1) and (2) for more informaiton

[1] : https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/bundle/src/main/java/com/ad...saml/impl/OktaLogoutHandler.java

[2] : AuthenticationHandler (Apache Sling (Builder) 6 API)

View solution in original post

3 Replies

Avatar

Correct answer by
Employee

Sling logout works by calling dropCredentials() on all registered handlers *matching the request path*. See [1] for example implementation.

This means that the LOGIN-RESOURCE attribute needs to be set to a path registered by the respective handler (i.e. http://localhost:4502/system/sling/logout?resource=/content/geometrixx/en)

If the resource parameter is not set, then / is assumed, and only root-level authentication handlers will handle the logout.

See (1) and (2) for more informaiton

[1] : https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/bundle/src/main/java/com/ad...saml/impl/OktaLogoutHandler.java

[2] : AuthenticationHandler (Apache Sling (Builder) 6 API)

Avatar

Level 4

Hello Kunwar, so from the steps that I have mentioned above, The only thing I am missing is  adding the resource parameter to the logout url?

http://localhost:4502/system/sling/logout?resource=/content/geometrixx/en)

Avatar

Employee

Yes. if you are extending the SAML auth handler, then you need to do a bit extra as I mentioned above.