AEM 6.5 SAML logout error | Community
Skip to main content
C
costyfax
Level 2
January 25, 2024
Solved

AEM 6.5 SAML logout error

  • January 25, 2024
  • 3 replies
  • 1341 views

Hi all, we've integrated our author instance with AzureAD using SAML auth handler.

Everything is ok in the login phase but we have a problem during logout; when a user press the logout button the page /system/sling/logout.html is called and the user is redirect to "/".

After this, I can see in my browser network console that a new POST request is made to the IDP but is not containing a SAMLLogout assertion but  a samlp:AuthnRequest.

This behaviour made me think of some logout error; in fact, if I see the specific saml log I can see this stack trace:

 

 24.01.2024 13:17:21.292 *ERROR* [185.26.140.33 [1706098641275] GET /system/sling/logout.html HTTP/1.1] com.adobe.granite.auth.saml.SamlAuthenticationHandler Unable to perform SAML logout.
java.lang.IllegalStateException: WRITER
at org.eclipse.jetty.server.Response.getOutputStream(Response.java:778) [org.apache.felix.http.jetty:4.2.12]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at org.apache.sling.engine.impl.log.RequestLoggerResponse.getOutputStream(RequestLoggerResponse.java:116) [org.apache.sling.engine:2.7.10.B0004]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at org.apache.sling.engine.impl.SlingHttpServletResponseImpl.getOutputStream(SlingHttpServletResponseImpl.java:410) [org.apache.sling.engine:2.7.10.B0004]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:105) [org.apache.felix.http.servlet-api:1.2.0]
at com.adobe.granite.auth.saml.binding.PostBinding.send(PostBinding.java:212) [com.adobe.granite.auth.saml:1.0.24.CQ650-B0010]
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.dropCredentials(SamlAuthenticationHandler.java:670) [com.adobe.granite.auth.saml:1.0.24.CQ650-B0010]
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doDropCredentials(AuthenticationHandlerHolder.java:95) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.dropCredentials(AbstractAuthenticationHandlerHolder.java:103) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.auth.core.impl.SlingAuthenticator.logout(SlingAuthenticator.java:657) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.auth.core.impl.LogoutServlet.service(LogoutServlet.java:84) [org.apache.sling.auth.core:1.5.0]
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:374) [org.apache.sling.api:2.22.0.B002]
at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:579) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:45) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:88) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:138) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:375) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:190) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.page.PageLockFilter.doFilter(PageLockFilter.java:91) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.personalization.impl.TargetComponentFilter.doFilter(TargetComponentFilter.java:94) [com.day.cq.cq-personalization:5.12.48]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.SlingRequestProcessorImpl.processComponent(SlingRequestProcessorImpl.java:283) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSlingFilterChain.java:49) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:88) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.dynamicinclude.SyntheticResourceFilter.doFilter(SyntheticResourceFilter.java:66) [org.apache.sling.dynamic-include:3.1.2]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.warp.TimeWarpFilter.doFilter(TimeWarpFilter.java:109) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.cq.social.ugcbase.security.impl.SaferSlingPostServlet.doFilter(SaferSlingPostServlet.java:114) [com.adobe.cq.social.cq-social-ugcbase-impl:2.5.3]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.dam.core.impl.assetlinkshare.AdhocAssetShareAuthHandler.doFilter(AdhocAssetShareAuthHandler.java:440) [com.day.cq.dam.cq-dam-core:5.12.368]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.dam.core.impl.servlet.ActivityRecordHandler.doFilter(ActivityRecordHandler.java:141) [com.day.cq.dam.cq-dam-core:5.12.368]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.granite.rest.impl.servlet.ApiResourceFilter.doFilter(ApiResourceFilter.java:70) [com.adobe.granite.rest.api:1.1.16.CQ650-B0005]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.granite.requests.logging.impl.RequestLoggerImpl.doFilter(RequestLoggerImpl.java:134) [com.adobe.granite.requests.logging:1.0.20]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at com.adobe.granite.rest.assets.impl.AssetContentDispositionFilter.doFilter(AssetContentDispositionFilter.java:96) [com.adobe.granite.rest.assets:1.0.58]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.core.impl.AuthoringUIModeServiceImpl.doFilter(AuthoringUIModeServiceImpl.java:394) [com.day.cq.wcm.cq-wcm-core:5.12.234]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at com.day.cq.wcm.mobile.core.impl.redirect.RedirectFilter.doFilter(RedirectFilter.java:248) [com.day.cq.wcm.cq-wcm-mobile-core:5.11.10]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.core.filters.ReportMatchFilter.doFilter(ReportMatchFilter.java:63)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.core.filters.MotorsportsResultsFilter.doFilter(MotorsportsResultsFilter.java:56)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.core.filters.AbstractSportsDataFilter.doFilter(AbstractSportsDataFilter.java:43)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skysporthd.addons.motorsports.core.filters.MotorsportsResultsFilter.doFilter(MotorsportsResultsFilter.java:64) [it.sky.dp.skysport-site-addons.motorsports.core:1.1.0]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.commons.core.filters.TagListFilter.doFilter(TagListFilter.java:83)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.commons.core.filters.LimitPaginationFilter.doFilter(LimitPaginationFilter.java:68)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skylivedata.sports.core.filters.AbstractSportsDataFilter.doFilter(AbstractSportsDataFilter.java:43)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.skylivedata.sports.core.filters.AbstractSportsDataFilter.doFilter(AbstractSportsDataFilter.java:43)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.core.filters.AbstractBaseFilter.doFilter(AbstractBaseFilter.java:48)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at it.sky.dp.aemfoundation.commons.core.filters.TTLCacheFilterResourceType.doFilter(TTLCacheFilterResourceType.java:63)
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:78) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]
at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:84) [org.apache.sling.engine:2.7.10.B0004]

I saw inside the bundle code and I saw that the error is thrown by the send() method of PostBinding class.

Has anyone already encountered this type of problem?

 

Thank you!

 

Fabio

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by TarunKumar

Hi @costyfax ,

Please add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from. 
For any failed request in SAML Authentication Handler, the SAML Logout URL will be called by AEM. 
So that if you configure a SAML Authentication Handler configured with path=/content/test and if you then call /system/sling/logout.html?resource=/content/test/sample-path then AEM will see that /content/test/sample-path falls under folder path /content/test and it will call the SAML Logout URL configured for this. 
If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /. 

Thanks
tarun

3 replies

narendragandhi
Community Advisor
narendragandhiCommunity Advisor
Community Advisor
January 25, 2024

Hi @costyfax 

 

There is a similar thread for this issue with a resolution - https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentication-handler-handle-logout/m-p/235146

 

Can you please try that and let us know if that helps to resolve the issue ?

 

Thanks

Narendra

    TarunKumar
    Community Advisor
    TarunKumarCommunity AdvisorAccepted solution
    Community Advisor
    January 28, 2024

    Hi @costyfax ,

    Please add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from. 
    For any failed request in SAML Authentication Handler, the SAML Logout URL will be called by AEM. 
    So that if you configure a SAML Authentication Handler configured with path=/content/test and if you then call /system/sling/logout.html?resource=/content/test/sample-path then AEM will see that /content/test/sample-path falls under folder path /content/test and it will call the SAML Logout URL configured for this. 
    If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /. 

    Thanks
    tarun

      kautuk_sahni
      Community Manager
      kautuk_sahniCommunity Manager
      Community Manager
      February 2, 2024

      @costyfax Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

      Kautuk Sahni
      C
      costyfaxAuthor
      Level 2
      February 6, 2024

      @kautuk_sahni I found that the problem was inside a custom Sling Filter that was modifying the response before the logout flow came in action.

      Adding a more restricted condition into the filter solves the problem; I learned that everything that is modifying the response may causes this error.

       

      Thank you all for the support!

        Terms & ConditionsAccessibility statement

        Loading footer...