AEM SAML integration - logout doesn't go to IDP logout URL | Community
Skip to main content
D
dbdigital04
Level 2
October 16, 2015
Solved

AEM SAML integration - logout doesn't go to IDP logout URL

  • October 16, 2015
  • 6 replies
  • 8737 views

I am trying to configure saml authentication handler using - http://docs.adobe.com/docs/en/aem/6-1/administer/security/saml-2-0-authenticationhandler.html.

I am using ssocircle IDP for my testing and configured the logout url in SAML authetication handler as


https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle.

SAML autehtication is working, when I try to open the configured path, I get redirected to IDP login page and after authentication the AEM page opens fine. Problem comes when I try to logout from AEM. I expect the IDP logout page that we configured in SAML should open but actually it opens the AEM login page. Could anyone point what am I missing over here. Do we need to put something in the IDP source provider metadata to enable the logout.

In SAML config, I have enabled the "Handle Logout" config.

Thanks,

Deepak

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by dbdigital04

    Hi Guys,

    First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

    My problem is that now I have to write some code to prevent redirection to root path on logout..

     

     

    // Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

    Tested it and it works.

     

    Thanks Guys!!

    Regards,

    6 replies

    A
    abhishekb
    Level 3
    October 16, 2015

    It should work if you've configured AEM SAML handler to intercept the root path since the AEM logout link points to /system/sling/logout

    If your handler is configured to intercept some other path, then it will not get invoked on click of logout.

    smacdonald2008
    smacdonald2008
    Level 10
    October 16, 2015

    Take a look here - it covers logout  as part of the SAML topic and it may help you:

    https://helpx.adobe.com/experience-manager/kb/saml-demo.html

    D
    dbdigital04Author
    Level 2
    October 16, 2015

    Thanks Abhishek and smacdonald2008. I tried Abhishek's suggestion and it didn't work for me. I added /system/sling path in the config but it didn't help. Thinking  a loud if I put root path in path config of SAML then as a system admin I will not be able to login via AEM login page. I will be forced to login using SAML. This may not be a desirable situation for administration purpose.

    I will try update the metadata as pointed out in smacdonald2008's link and see if it helps.

    O
    Adobe Employee
    ogillAdobe Employee
    Adobe Employee
    October 16, 2015

    Hi Deepak,

    for AEM6.1, did you follow the guide here[1], have you tried: /libs/cq/core/content/login.logout.html

    As for an admin user, you can log into AEM via SAML, go to "/crx/de/index.jsp" and then login again as the admin user. But you probably want to give specific users the appropriate rights to perform admin tasks.

    Regards,

    Opkar

    [1] http://www.aemstuff.com/blogs/july/saml.html

    D
    dbdigital04Author
    Level 2
    October 16, 2015

    Hi Opkar,

    As mentioned by Abhishek if I configure the path in SAML Auth handler as "/" and logout then it works fine and IDP logout screen is opened. But as per my use case I have configure only specific paths, doing that results in logout going back to AEM login screen. I tried giving "/system/sling/logout" in the path as well but that didn't help. Any suggestion what else I can try.

    Thanks,

    Deepak

    D
    dbdigital04AuthorAccepted solution
    Level 2
    October 16, 2015

    Hi Guys,

    First of all thanks to all  of you who tried to hep me with this problem.I think I now better understand this problem. As Abhishek mentioned if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout. If root path is not there in SAML config path then after logout (Autheticator logout - core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java) AEM login process will kick in. If we have "/" configured then redirect request goes through SAML authentication handler and it redirect the response to IDP login page when finds authentication required.

    My problem is that now I have to write some code to prevent redirection to root path on logout..

     

     

    // Update---- I have found a way to set the redirection path (login resource path) after logout. AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

    Tested it and it works.

     

    Thanks Guys!!

    Regards,

      Terms & ConditionsAccessibility statement

      Loading footer...