Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
SOLVED

How to handle in AEM (Publish instances, CUG) using OOTB SAML Handler logout request from IDP

Avatar

Level 2

I have the scenario that I have 2 sites site1.company.com and site2.company.com on AEM, both of them have protected pages (CUGs), and both of them are integrated with the same IDP using SAML Authentication Handler. SAML Authentication Handler is also set to handle logout.
When a user logs in to one of the sites then also will be automatically authenticated when accessing the protected page on the second one. When a user logs out from one site then also it should be logged out from IDP and from the second site.

 

The question is connected to the Single Logout mechanism. When the user logs out from one site, it triggers SAML Handler and the handler uses the logout URL of IDP to log out of the user also from IDP. This logout triggers IDP to send a SAML Logout Request to the second site to log out.

 

Questions:
To what URL on AEM I should send SAML Logout Request to handle this logout on second site on AEM, is it /system/sling/logout?resource=resource_used_to_log_in?
What type of Binding is supported on SAML Handler when sending SAML Logout Request?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor
4 Replies

Avatar

Community Advisor

Hi @mtobiasz 
Maybe you can use the another user group to protect your site and based on users access you can disallow the users from other sites.

you can configured custom logout urls to manage logout only for a site



Arun Patidar

Avatar

Level 2

Hi @arunpatidar 

Unfortunately, it doesn't answer my question regarding SAML integration using the AEM SAML Authentication Handler.
If the SAML Authentication Handler is used for integration with IDP then I would also assume that should be able to handle SAML Logout Response triggered by IDP, especially since the SAML Authentication Handler is responsible for logging out the user and clearing the "login-token" cookie from a browser 
I would like to know if AEM is providing such a mechanism or if it is something that I should handle myself.

Avatar

Correct answer by
Community Advisor

Hi

AEM provide a mechanism to logout from AEM, please check 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentic... 



Arun Patidar

Avatar

Administrator

@mtobiasz  Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni