AEM SSO SAML Integration (Microsoft Azure AD) - Logout issue | Community
Skip to main content
S
srikrishnank190
Level 2
September 1, 2020
Solved

AEM SSO SAML Integration (Microsoft Azure AD) - Logout issue

  • September 1, 2020
  • 2 replies
  • 3122 views

We have recently integrated AEM 6.5.5 with SAML based SSO. Able to login to AEM, with SSO authentication. But we were unable to logout. 

 

Configuration values in OSGI SAML Authentication Handler

handleLogout="true"

logoutUrl="https://login.microsoftonline.com/common/wsfederation?wa\=wsignout1.0"

and tried

logoutUrl="https://login.microsoftonline.com/<abc-xyz>/wsfederation?wa=wsignout1.0"

 

The authentication service user has Keystore configured as well.

 

When the logout request generates from AEM, it is throwing as,

 

Note: If we hit the logout URL directly on the browser, it works fine

 

Logs were on trace level,

*DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
*DEBUG*  com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [samlp:Response: null]. No signature.

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by aemmarc2

RE : com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for

 

Either the Assertion or the Signature is missing from the SAMLRequest/SAMLResponse

 

Capture a HAR containing the entire network trace of the logout and base-64 decrypt the POST data to understand what is messed up. 

2 replies

Shashi_Mulugu
Community Advisor
Shashi_MuluguCommunity Advisor
Community Advisor
September 1, 2020

@srikrishnank190 Thank you for reaching Adobe Experience League Community. Can you please post your SAML configuration file here?

 

have you checked, Handle Logout option in your SAML configuration? If it is working fine if we hit directly in the browser, it should not be an issue with IDP.

 

 

 

    S
    srikrishnank190Author
    Level 2
    September 1, 2020

    Hi Shashi,

     

    Here is the OSGI Configuration for SAML Authentication Handler,

    # Configuration created by Apache Sling JCR Installer
    identitySyncType="default"
    keyStorePassword="xxxxxxx"
    service.ranking=I"5002"
    idpHttpRedirect=B"false"
    createUser=B"true"
    defaultRedirectUrl="/"
    userIDAttribute="emailaddress"
    idpIdentifier=""
    assertionConsumerServiceURL=""
    defaultGroups=["aem-xxx"]
    storeSAMLResponse=B"true"
    signatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
    idpCertAlias="ab-cdef#1597308296857"
    addGroupMemberships=B"true"
    path=["/"]
    digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
    synchronizeAttributes=["givenname\=profile/givenName","surname\=profile/familyName","emailaddress\=profile/email"]
    clockTolerance=I"60"
    groupMembershipAttribute="groups"
    idpUrl="https://login.microsoftonline.com/abc-def-xyz/saml2"
    logoutUrl="https://login.microsoftonline.com/abc-def-xyz/wsfederation?wa=wsignout1.0"
    serviceProviderEntityId="ijk-lnmop-adobe-dev"
    handleLogout=B"true"
    userIntermediatePath=""
    spPrivateKeyAlias=""
    useEncryption=B"false"
    nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 

    A
    Adobe Employee
    aemmarc2Adobe EmployeeAccepted solution
    Adobe Employee
    September 2, 2020

    RE : com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for

     

    Either the Assertion or the Signature is missing from the SAMLRequest/SAMLResponse

     

    Capture a HAR containing the entire network trace of the logout and base-64 decrypt the POST data to understand what is messed up. 

      Terms & ConditionsAccessibility statement

      Loading footer...