We have recently integrated AEM 6.5.5 with SAML based SSO. Able to login to AEM, with SSO authentication. But we were unable to logout.
Configuration values in OSGI SAML Authentication Handler
handleLogout="true"
logoutUrl="https://login.microsoftonline.com/common/wsfederation?wa\=wsignout1.0"
and tried
logoutUrl="https://login.microsoftonline.com/<abc-xyz>/wsfederation?wa=wsignout1.0"
The authentication service user has Keystore configured as well.
When the logout request generates from AEM, it is throwing as,
Note: If we hit the logout URL directly on the browser, it works fine
Logs were on trace level,
*DEBUG* com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request.
*DEBUG* com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for [samlp:Response: null]. No signature.
Solved! Go to Solution.
Views
Replies
Total Likes
RE : com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for
Either the Assertion or the Signature is missing from the SAMLRequest/SAMLResponse
Capture a HAR containing the entire network trace of the logout and base-64 decrypt the POST data to understand what is messed up.
@srikrishnank190 Thank you for reaching Adobe Experience League Community. Can you please post your SAML configuration file here?
have you checked, Handle Logout option in your SAML configuration? If it is working fine if we hit directly in the browser, it should not be an issue with IDP.
Hi Shashi,
Here is the OSGI Configuration for SAML Authentication Handler,
# Configuration created by Apache Sling JCR Installer
identitySyncType="default"
keyStorePassword="xxxxxxx"
service.ranking=I"5002"
idpHttpRedirect=B"false"
createUser=B"true"
defaultRedirectUrl="/"
userIDAttribute="emailaddress"
idpIdentifier=""
assertionConsumerServiceURL=""
defaultGroups=["aem-xxx"]
storeSAMLResponse=B"true"
signatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
idpCertAlias="ab-cdef#1597308296857"
addGroupMemberships=B"true"
path=["/"]
digestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
synchronizeAttributes=["givenname\=profile/givenName","surname\=profile/familyName","emailaddress\=profile/email"]
clockTolerance=I"60"
groupMembershipAttribute="groups"
idpUrl="https://login.microsoftonline.com/abc-def-xyz/saml2"
logoutUrl="https://login.microsoftonline.com/abc-def-xyz/wsfederation?wa=wsignout1.0"
serviceProviderEntityId="ijk-lnmop-adobe-dev"
handleLogout=B"true"
userIntermediatePath=""
spPrivateKeyAlias=""
useEncryption=B"false"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
Views
Replies
Total Likes
RE : com.adobe.granite.auth.saml.util.SamlReader Signature verification failed for
Either the Assertion or the Signature is missing from the SAMLRequest/SAMLResponse
Capture a HAR containing the entire network trace of the logout and base-64 decrypt the POST data to understand what is messed up.
Views
Like
Replies