Adobe Experience Manager Sites & More

costyfax · 1/25/24

Hi all, we've integrated our author instance with AzureAD using SAML auth handler.

Everything is ok in the login phase but we have a problem during logout; when a user press the logout button the page /system/sling/logout.html is called and the user is redirect to "/".

After this, I can see in my browser network console that a new POST request is made to the IDP but is not containing a SAMLLogout assertion but a samlp:AuthnRequest.

This behaviour made me think of some logout error; in fact, if I see the specific saml log I can see this stack trace:

 24.01.2024 13:17:21.292 *ERROR* [185.26.140.33 [1706098641275] GET /system/sling/logout.html HTTP/1.1] com.adobe.granite.auth.saml.SamlAuthenticationHandler Unable to perform SAML logout.
java.lang.IllegalStateException: WRITER
at org.eclipse.jetty.server.Response.getOutputStream(Response.java:778) [org.apache.felix.http.jetty:4.2.12]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at org.apache.sling.engine.impl.log.RequestLoggerResponse.getOutputStream(RequestLoggerResponse.java:116) [org.apache.sling.engine:2.7.10.B0004]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at org.apache.sling.engine.impl.SlingHttpServletResponseImpl.getOutputStream(SlingHttpServletResponseImpl.java:410) [org.apache.sling.engine:2.7.10.B0004]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at com.adobe.granite.auth.saml.binding.PostBinding.send(PostBinding.java:212) [com.adobe.granite.auth.saml:1.0.24.CQ650-B0010]
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.dropCredentials(SamlAuthenticationHandler.java:670) [com.adobe.granite.auth.saml:1.0.24.CQ650-B0010]
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doDropCredentials(AuthenticationHandlerHolder.java:95) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.dropCredentials(AbstractAuthenticationHandlerHolder.java:103) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.auth.core.impl.SlingAuthenticator.logout(SlingAuthenticator.java:657) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.auth.core.impl.LogoutServlet.service(LogoutServlet.java:84) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:374) [org.apache.sling.api:2.22.0.B002]
at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:579) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:88) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:138) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:375) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:190) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.page.PageLockFilter.doFilter(PageLockFilter.java:91) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.personalization.impl.TargetComponentFilter.doFilter(TargetComponentFilter.java:94) [com.day.cq.cq-personalization:5.12.48]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.SlingRequestProcessorImpl.processComponent(SlingRequestProcessorImpl.java:283) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSlingFilterChain.java:49) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:88) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.dynamicinclude.SyntheticResourceFilter.doFilter(SyntheticResourceFilter.java:66) [org.apache.sling.dynamic-include:3.1.2]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.warp.TimeWarpFilter.doFilter(TimeWarpFilter.java:109) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.cq.social.ugcbase.security.impl.SaferSlingPostServlet.doFilter(SaferSlingPostServlet.java:114) [com.adobe.cq.social.cq-social-ugcbase-impl:2.5.3]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.dam.core.impl.assetlinkshare.AdhocAssetShareAuthHandler.doFilter(AdhocAssetShareAuthHandler.java:440) [com.day.cq.dam.cq-dam-core:5.12.368]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.dam.core.impl.servlet.ActivityRecordHandler.doFilter(ActivityRecordHandler.java:141) [com.day.cq.dam.cq-dam-core:5.12.368]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.granite.rest.impl.servlet.ApiResourceFilter.doFilter(ApiResourceFilter.java:70) [com.adobe.granite.rest.api:1.1.16.CQ650-B0005]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.granite.requests.logging.impl.RequestLoggerImpl.doFilter(RequestLoggerImpl.java:134) [com.adobe.granite.requests.logging:1.0.20]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.granite.rest.assets.impl.AssetContentDispositionFilter.doFilter(AssetContentDispositionFilter.java:96) [com.adobe.granite.rest.assets:1.0.58]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.AuthoringUIModeServiceImpl.doFilter(AuthoringUIModeServiceImpl.java:394) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.mobile.core.impl.redirect.RedirectFilter.doFilter(RedirectFilter.java:248) [com.day.cq.wcm.cq-wcm-mobile-core:5.11.10]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.core.filters.ReportMatchFilter.doFilter(ReportMatchFilter.java:63)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.core.filters.MotorsportsResultsFilter.doFilter(MotorsportsResultsFilter.java:56)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.core.filters.AbstractSportsDataFilter.doFilter(AbstractSportsDataFilter.java:43)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.addons.motorsports.core.filters.MotorsportsResultsFilter.doFilter(MotorsportsResultsFilter.java:64) [it.sky.dp.skysport-site-addons.motorsports.core:1.1.0]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.commons.core.filters.TagListFilter.doFilter(TagListFilter.java:83)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.commons.core.filters.LimitPaginationFilter.doFilter(LimitPaginationFilter.java:68)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skylivedata.sports.core.filters.AbstractSportsDataFilter.doFilter(AbstractSportsDataFilter.java:43)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skylivedata.sports.core.filters.AbstractSportsDataFilter.doFilter(AbstractSportsDataFilter.java:43)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.commons.core.filters.TTLCacheFilterResourceType.doFilter(TTLCacheFilterResourceType.java:63)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]

I saw inside the bundle code and I saw that the error is thrown by the send() method of PostBinding class.

Has anyone already encountered this type of problem?

Thank you!

Fabio

TarunKumar · 1/28/24

Hi @costyfax ,

Please add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from.
For any failed request in SAML Authentication Handler, the SAML Logout URL will be called by AEM.
So that if you configure a SAML Authentication Handler configured with path=/content/test and if you then call /system/sling/logout.html?resource=/content/test/sample-path then AEM will see that /content/test/sample-path falls under folder path /content/test and it will call the SAML Logout URL configured for this.
If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /.

Thanks
tarun

View solution in original post

narendragandhi · 1/25/24

Hi @costyfax

There is a similar thread for this issue with a resolution - https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentic...

Can you please try that and let us know if that helps to resolve the issue ?

Thanks

Narendra

TarunKumar · 1/28/24

Hi @costyfax ,

Please add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from.
For any failed request in SAML Authentication Handler, the SAML Logout URL will be called by AEM.
So that if you configure a SAML Authentication Handler configured with path=/content/test and if you then call /system/sling/logout.html?resource=/content/test/sample-path then AEM will see that /content/test/sample-path falls under folder path /content/test and it will call the SAML Logout URL configured for this.
If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /.

Thanks
tarun

kautuk_sahni · 2/2/24

@costyfax Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Kautuk Sahni

costyfax · 2/6/24

@kautuk_sahni I found that the problem was inside a custom Sling Filter that was modifying the response before the logout flow came in action.

Adding a more restricted condition into the filter solves the problem; I learned that everything that is modifying the response may causes this error.

Thank you all for the support!

Adobe Experience Manager Sites & More

AEM 6.5 SAML logout error

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe