AEM 6.4 SAML integration - Logout not working

Avatar

Avatar

a_mn1

Avatar

a_mn1

a_mn1

30-07-2018

Hello Guys, I am trying to implement SAML integration with AEM 6.4. I have followed most of the steps mentioned in the link https://helpx.adobe.com/experience-manager/using/aem63_saml.html.[1]  Below are the steps I did.

1.Created an SSOCircle account as mentioned in [1].

2.Configured KeyStore & Truststore as in [1]

3.Modified SAML 2.0 Handler and Referrer filter configuration as mentioned in [1]

4.Modified "Apache Sling Authentication Service" configuration to have  authentication for below paths

     +/content

     +/etc/designs

     +/libs/granite/oauth/content/authorization

5.Modified "Apache Sling Authentication Service" configuration to uncheck the checkbox against "Allow Anonymous Access"

6.Modified "Day CQ Root Mapping" configuration to point to my applcications home page.(/content/<myapps>/homepage.html)

7.Add a logout link to my page header <a href="https://forums.adobe.com/system/sling/logout">

When I access my page for first time, I was taken to the SSO Circle login page, I entered the credentials and was taken to my applications home page. On clicking logout , I was taken to the  SSO cirlce login page.

After that whenever I try to login again, it always takes me to /system/sling/logout and further to SSO circle logout page. (https://idp.ssocircle.com/sso/UI/Logout)

Can someone guide me what I am missing / What have I done wrong in integrating AEM with SAML.

My requirement is Whenever user clicks logout button, he should be taken back to IDP login page. He should be able to see my protected pages only after entering the credentials again .(Even clicking on browser back button , he should be taken to IDP login page).

Note: Please let me know if anymore details are required.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Kunwar

Employee

Avatar

Kunwar

Employee

Kunwar
Employee

31-07-2018

Sling logout works by calling dropCredentials() on all registered handlers *matching the request path*. See [1] for example implementation.

This means that the LOGIN-RESOURCE attribute needs to be set to a path registered by the respective handler (i.e. http://localhost:4502/system/sling/logout?resource=/content/geometrixx/en)

If the resource parameter is not set, then / is assumed, and only root-level authentication handlers will handle the logout.

See (1) and (2) for more informaiton

[1] : https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/bundle/src/main/java/com/ad...saml/impl/OktaLogoutHandler.java

[2] : AuthenticationHandler (Apache Sling (Builder) 6 API)

Answers (2)

Answers (2)

Avatar

Avatar

Kunwar

Employee

Avatar

Kunwar

Employee

Kunwar
Employee

02-08-2018

Yes. if you are extending the SAML auth handler, then you need to do a bit extra as I mentioned above.

Avatar

Avatar

a_mn1

Avatar

a_mn1

a_mn1

01-08-2018

Hello Kunwar, so from the steps that I have mentioned above, The only thing I am missing is  adding the resource parameter to the logout url?

http://localhost:4502/system/sling/logout?resource=/content/geometrixx/en)