Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM SAML integration - logout doesn't go to IDP logout URL

Avatar

Level 2

I am trying to configure saml authentication handler using - http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html.

I am using ssocircle IDP for my testing and configured the logout url in SAML authetication handler as


https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle.

SAML autehtication is working, when I try to open the configured path, I get redirected to IDP login page and after authentication the AEM page opens fine. Problem comes when I try to logout from AEM. I expect the IDP logout page that we configured in SAML should open but actually it opens the AEM login page. Could anyone point what am I missing over here. Do we need to put something in the IDP source provider metadata to enable the logout.

In SAML config, I have enabled the "Handle Logout" config.

Thanks,

Deepak

1 Accepted Solution

Avatar

Correct answer by
Level 2

Hi Guys,

First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

My problem is that now I have to write some code to prevent redirection to root path on logout..

 

 

// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

Tested it and it works.

 

Thanks Guys!!

Regards,

View solution in original post

0 Replies

Avatar

Level 3

It should work if you've configured AEM SAML handler to intercept the root path since the AEM logout link points to /system/sling/logout

If your handler is configured to intercept some other path, then it will not get invoked on click of logout.

Avatar

Level 2

Thanks Abhishek and smacdonald2008. I tried Abhishek's suggestion and it didn't work for me. I added /system/sling path in the config but it didn't help. Thinking  a loud if I put root path in path config of SAML then as a system admin I will not be able to login via AEM login page. I will be forced to login using SAML. This may not be a desirable situation for administration purpose.

I will try update the metadata as pointed out in smacdonald2008's link and see if it helps.

Avatar

Employee

Hi Deepak,

for AEM6.1, did you follow the guide here[1], have you tried: /libs/cq/core/content/login.logout.html

As for an admin user, you can log into AEM via SAML, go to "/crx/de/index.jsp" and then login again as the admin user. But you probably want to give specific users the appropriate rights to perform admin tasks.

Regards,

Opkar

[1] http://www.aemstuff.com/blogs/july/saml.html

Avatar

Level 2

Hi Opkar,

As mentioned by Abhishek if I configure the path in SAML Auth handler as "/" and logout then it works fine and IDP logout screen is opened. But as per my use case I have configure only specific paths, doing that results in logout going back to AEM login screen. I tried giving "/system/sling/logout" in the path as well but that didn't help. Any suggestion what else I can try.

Thanks,

Deepak

Avatar

Correct answer by
Level 2

Hi Guys,

First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

My problem is that now I have to write some code to prevent redirection to root path on logout..

 

 

// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

Tested it and it works.

 

Thanks Guys!!

Regards,