How to handle in AEM (Publish instances, CUG) using OOTB SAML Handler logout request from IDP | Community
Skip to main content
M
mtobiasz
Level 2
February 27, 2024
Solved

How to handle in AEM (Publish instances, CUG) using OOTB SAML Handler logout request from IDP

  • February 27, 2024
  • 2 replies
  • 801 views

I have the scenario that I have 2 sites site1.company.com and site2.company.com on AEM, both of them have protected pages (CUGs), and both of them are integrated with the same IDP using SAML Authentication Handler. SAML Authentication Handler is also set to handle logout.
When a user logs in to one of the sites then also will be automatically authenticated when accessing the protected page on the second one. When a user logs out from one site then also it should be logged out from IDP and from the second site.

 

The question is connected to the Single Logout mechanism. When the user logs out from one site, it triggers SAML Handler and the handler uses the logout URL of IDP to log out of the user also from IDP. This logout triggers IDP to send a SAML Logout Request to the second site to log out.

 

Questions:
To what URL on AEM I should send SAML Logout Request to handle this logout on second site on AEM, is it /system/sling/logout?resource=resource_used_to_log_in?
What type of Binding is supported on SAML Handler when sending SAML Logout Request?

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    2 replies

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    February 27, 2024

    Hi @mtobiasz 
    Maybe you can use the another user group to protect your site and based on users access you can disallow the users from other sites.

    you can configured custom logout urls to manage logout only for a site

    Arun Patidar
      M
      mtobiaszAuthor
      Level 2
      February 27, 2024

      Hi @arunpatidar 

      Unfortunately, it doesn't answer my question regarding SAML integration using the AEM SAML Authentication Handler.
      If the SAML Authentication Handler is used for integration with IDP then I would also assume that should be able to handle SAML Logout Response triggered by IDP, especially since the SAML Authentication Handler is responsible for logging out the user and clearing the "login-token" cookie from a browser 
      I would like to know if AEM is providing such a mechanism or if it is something that I should handle myself.

        arunpatidar
        Community Advisor
        arunpatidarCommunity AdvisorAccepted solution
        Community Advisor
        February 28, 2024

        Hi

        AEM provide a mechanism to logout from AEM, please check 

        https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentication-handler-handle-logout/m-p/235146 

        Arun Patidar
          kautuk_sahni
          Community Manager
          kautuk_sahniCommunity Manager
          Community Manager
          February 28, 2024

          @mtobiasz  Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

          Kautuk Sahni
          Terms & ConditionsAccessibility statement

          Loading footer...