Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

AEM SAML integration - logout doesn't go to IDP logout URL

Avatar

Level 2
Level 2
10/15/15 7:29:33 PM

I am trying to configure saml authentication handler using - http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html.

I am using ssocircle IDP for my testing and configured the logout url in SAML authetication handler as


https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle.

SAML autehtication is working, when I try to open the configured path, I get redirected to IDP login page and after authentication the AEM page opens fine. Problem comes when I try to logout from AEM. I expect the IDP logout page that we configured in SAML should open but actually it opens the AEM login page. Could anyone point what am I missing over here. Do we need to put something in the IDP source provider metadata to enable the logout.

In SAML config, I have enabled the "Handle Logout" config.

Thanks,

Deepak

Views

8.1K

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:29:33 PM

Hi Guys,

First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

My problem is that now I have to write some code to prevent redirection to root path on logout..

 

 

// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

Tested it and it works.

 

Thanks Guys!!

Regards,

View solution in original post

Views

3.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 3
Level 3
10/15/15 7:29:33 PM

It should work if you've configured AEM SAML handler to intercept the root path since the AEM logout link points to /system/sling/logout

If your handler is configured to intercept some other path, then it will not get invoked on click of logout.

Views

3.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
10/15/15 7:29:33 PM

Take a look here - it covers logout  as part of the SAML topic and it may help you:

https://helpx.adobe.com/experience-manager/kb/saml-demo.html

Views

3.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:29:33 PM

Thanks Abhishek and smacdonald2008. I tried Abhishek's suggestion and it didn't work for me. I added /system/sling path in the config but it didn't help. Thinking  a loud if I put root path in path config of SAML then as a system admin I will not be able to login via AEM login page. I will be forced to login using SAML. This may not be a desirable situation for administration purpose.

I will try update the metadata as pointed out in smacdonald2008's link and see if it helps.

Views

3.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
10/15/15 7:29:33 PM

Hi Deepak,

for AEM6.1, did you follow the guide here[1], have you tried: /libs/cq/core/content/login.logout.html

As for an admin user, you can log into AEM via SAML, go to "/crx/de/index.jsp" and then login again as the admin user. But you probably want to give specific users the appropriate rights to perform admin tasks.

Regards,

Opkar

[1] http://www.aemstuff.com/blogs/july/saml.html

Views

3.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:29:33 PM

Hi Opkar,

As mentioned by Abhishek if I configure the path in SAML Auth handler as "/" and logout then it works fine and IDP logout screen is opened. But as per my use case I have configure only specific paths, doing that results in logout going back to AEM login screen. I tried giving "/system/sling/logout" in the path as well but that didn't help. Any suggestion what else I can try.

Thanks,

Deepak

Views

3.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:29:33 PM

Hi Guys,

First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

My problem is that now I have to write some code to prevent redirection to root path on logout..

 

 

// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

Tested it and it works.

 

Thanks Guys!!

Regards,

Views

3.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
I want to disable the delete copy move and all the other options for the child components Solved

Views

137

Likes

0

Replies

5
How to propagate template code changes to sites using that template

Views

69

Likes

0

Replies

3
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

76

Likes

0

Replies

1
Sharing common data to multiple features in Tab component

Views

200

Likes

0

Replies

12
Ability to preview or thumbnail to preview for XF

Views

76

Likes

0

Replies

2