I am trying to configure saml authentication handler using - http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html.
I am using ssocircle IDP for my testing and configured the logout url in SAML authetication handler as
https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle.
SAML autehtication is working, when I try to open the configured path, I get redirected to IDP login page and after authentication the AEM page opens fine. Problem comes when I try to logout from AEM. I expect the IDP logout page that we configured in SAML should open but actually it opens the AEM login page. Could anyone point what am I missing over here. Do we need to put something in the IDP source provider metadata to enable the logout.
In SAML config, I have enabled the "Handle Logout" config.
Thanks,
Deepak
Solved! Go to Solution.
Hi Guys,
First of all thanks to all of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.
My problem is that now I have to write some code to prevent redirection to root path on logout..
// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").
Tested it and it works.
Thanks Guys!!
Regards,
It should work if you've configured AEM SAML handler to intercept the root path since the AEM logout link points to /system/sling/logout
If your handler is configured to intercept some other path, then it will not get invoked on click of logout.
Views
Replies
Total Likes
Take a look here - it covers logout as part of the SAML topic and it may help you:
https://helpx.adobe.com/experience-manager/kb/saml-demo.html
Views
Replies
Total Likes
Thanks Abhishek and smacdonald2008. I tried Abhishek's suggestion and it didn't work for me. I added /system/sling path in the config but it didn't help. Thinking a loud if I put root path in path config of SAML then as a system admin I will not be able to login via AEM login page. I will be forced to login using SAML. This may not be a desirable situation for administration purpose.
I will try update the metadata as pointed out in smacdonald2008's link and see if it helps.
Views
Replies
Total Likes
Hi Deepak,
for AEM6.1, did you follow the guide here[1], have you tried: /libs/cq/core/content/login.logout.html
As for an admin user, you can log into AEM via SAML, go to "/crx/de/index.jsp" and then login again as the admin user. But you probably want to give specific users the appropriate rights to perform admin tasks.
Regards,
Opkar
Views
Replies
Total Likes
Hi Opkar,
As mentioned by Abhishek if I configure the path in SAML Auth handler as "/" and logout then it works fine and IDP logout screen is opened. But as per my use case I have configure only specific paths, doing that results in logout going back to AEM login screen. I tried giving "/system/sling/logout" in the path as well but that didn't help. Any suggestion what else I can try.
Thanks,
Deepak
Views
Replies
Total Likes
Hi Guys,
First of all thanks to all of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.
My problem is that now I have to write some code to prevent redirection to root path on logout..
// Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").
Tested it and it works.
Thanks Guys!!
Regards,