Adobe Experience Manager Sites & More

ayush_aem · 3/27/24

Hi All,

We have configured SAML Authentication with Microsoft Azure. We are able to invoke the authentication when we are loading the page on browser for the pages checked as granite:AuthenticationRequired. But other than this we have login and logout buttons also.

1. How do we invoke SAML authentication on click of login ?

2. How do we invoke logout functionality on click of logout ?

anupampat · 3/28/24

Hi @ayush_aem ,

1. For login you can configure the AEM login /libs/granite/core/content/login.html, then AEM should redirect to SAML via com.adobe.granite.auth.saml.SamlAuthenticationHandler, where you have different properties - read more https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/saml-2-0-authentic...

Example configuration

addGroupMemberships=B"true"
assertionConsumerServiceURL=""
clockTolerance=I"60"
createUser=B"true"
defaultGroups=[]
defaultRedirectUrl=""
digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
groupMembershipAttribute=""
handleLogout=B""
identitySyncType="default"
idpCertAlias=""
idpHttpRedirect=B"false"
idpIdentifier="IDPIdentifier"
idpUrl="https://login.microsoftonline.com/..."
keyStorePassword=""
logoutUrl=""
nameIdFormat=""
path=["/"]
service.ranking=I"5002"
serviceProviderEntityId=""
signatureMethod=""
spPrivateKeyAlias=""
storeSAMLResponse=B"false"
synchronizeAttributes=[""]
useEncryption=B"false"
userIDAttribute=""
userIntermediatePath=""

2. For logout you can call /system/sling/logout.html

ayush_aem · 3/28/24

Hi @anupampat , I already tried both the approaches. For login I allowed the path in dispatcher and then when I hit the page I am getting the default AEM login screen and not the SAML Authentication screen. Not sure if I am missing something.

For logout, when I call /system/sling/logout.html, the session is not getting killed at the IDP end. It takes the user to login screen, but on refresh the session is again retrieved.

trc41594544 · 3/28/24

I would recommend SAML with Azure for Authoring only as you have to mention path as "/" and entire authoring is generally protected.

For live sites though, it is best to use OAUTH 2.0 Azure approach. Ideal approach is to have Login component to show login button when Azure cookies are not present and logout when Azure cookies are present. You can also look at login-token cookie. Clicking on Login button, you can trigger the Oauth login and for logout you should remove login-token cookie and call IDP for logout separately.

OAuth login is similar to how Twitter login that is present OOTB.

Albin_Issac · 3/28/24

I assume you are referring to enabling the login for the publisher (live sites). Please refer to the post below for more details.

Enable User Authentication for AEM Websites — Azure AD B2C | SAML Application with Azure AD B2C | by...

Enable User Authentication for AEM Websites — Azure AD B2C OAuth 2.0 | by Albin Issac | Tech Learnin...

Regards

Albin

https://www.albinsblog.com

Albin Issac – Medium

Sady_Rifat · 3/28/24

Hi @ayush_aem

To log out, you just need to provide the URL which will be provided by IDP, and YES this works for me. After hitting the /system/sling/logout.html?resource=/content/aem-demo this will be done by AEM itself. Where the /content/aem-demo is the configuration "path" you provided in SamlAuthenticationHandler.

"logoutUrl": "http://localhost:8080/realms/aem-local/protocol/saml",

This will log out from AEM as well as from IDP.

Note: If you need a country or project-based setup you can set the specific path. Otherwise for each page make private you just put path="/"

Adobe Experience Manager Sites & More

AEM SAML Authentication

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe