Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
SOLVED

AEM SAML integration - logout doesn't go to IDP logout URL

Avatar

Level 2

I am trying to configure saml authentication handler using - http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html.

I am using ssocircle IDP for my testing and configured the logout url in SAML authetication handler as


https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle.

SAML autehtication is working, when I try to open the configured path, I get redirected to IDP login page and after authentication the AEM page opens fine. Problem comes when I try to logout from AEM. I expect the IDP logout page that we configured in SAML should open but actually it opens the AEM login page. Could anyone point what am I missing over here. Do we need to put something in the IDP source provider metadata to enable the logout.

In SAML config, I have enabled the "Handle Logout" config.

Thanks,

Deepak

1 Accepted Solution

Avatar

Correct answer by
Level 2

Hi Guys,

First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

My problem is that now I have to write some code to prevent redirection to root path on logout..

 

 

// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

Tested it and it works.

 

Thanks Guys!!

Regards,

View solution in original post

6 Replies

Avatar

Level 3

It should work if you've configured AEM SAML handler to intercept the root path since the AEM logout link points to /system/sling/logout

If your handler is configured to intercept some other path, then it will not get invoked on click of logout.

Avatar

Level 10

Take a look here - it covers logout  as part of the SAML topic and it may help you:

https://helpx.adobe.com/experience-manager/kb/saml-demo.html

Avatar

Level 2

Thanks Abhishek and smacdonald2008. I tried Abhishek's suggestion and it didn't work for me. I added /system/sling path in the config but it didn't help. Thinking  a loud if I put root path in path config of SAML then as a system admin I will not be able to login via AEM login page. I will be forced to login using SAML. This may not be a desirable situation for administration purpose.

I will try update the metadata as pointed out in smacdonald2008's link and see if it helps.

Avatar

Employee

Hi Deepak,

for AEM6.1, did you follow the guide here[1], have you tried: /libs/cq/core/content/login.logout.html

As for an admin user, you can log into AEM via SAML, go to "/crx/de/index.jsp" and then login again as the admin user. But you probably want to give specific users the appropriate rights to perform admin tasks.

Regards,

Opkar

[1] http://www.aemstuff.com/blogs/july/saml.html

Avatar

Level 2

Hi Opkar,

As mentioned by Abhishek if I configure the path in SAML Auth handler as "/" and logout then it works fine and IDP logout screen is opened. But as per my use case I have configure only specific paths, doing that results in logout going back to AEM login screen. I tried giving "/system/sling/logout" in the path as well but that didn't help. Any suggestion what else I can try.

Thanks,

Deepak

Avatar

Correct answer by
Level 2

Hi Guys,

First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

My problem is that now I have to write some code to prevent redirection to root path on logout..

 

 

// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

Tested it and it works.

 

Thanks Guys!!

Regards,