Hi,
We're using the SAML Authentication Handler in AEM6 SP2 and this is working fine for logging in. We've also checked the "Handle Logout" option and filled in the "Logout URL" of our IdP. However, when we call /system/sling/logout.html there does not seem to be a call to the IdP to the logout URL. So I have a few questions about this:
Many thanks,
Jan
Solved! Go to Solution.
Yes! Apparently you need to add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from. When the path falls under the configured path of the SAML Authentication Handler, then the SAML Logout URL will be called by AEM. So, for example, if you have a SAML Authentication Handler configured with path=/content/samltest and if you then call /system/sling/logout.html?resource=/content/samltest/doesntmatter then AEM will see that /content/samtest/doesntmatter falls under /content/samltest and so it will call the SAML Logout URL configured for this. This way AEM actually supports having different sites use different SAML configurations. If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /.
Regards,
Jan
HI jdelannoy
Please go through the following article covering both local and global logout process.
Link:- http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-sso.html
I hope this would help you in answering your questions partially.
Thanks and Regards
Kautuk Sahni
Views
Replies
Total Likes
Hi Kautuk,
I've tried the URLs mentioned in the article (/<context>/saml/logout and /j_logout) but none of them work. Note that we're not using Spring here, we're just trying to use the AEM out-of-the-box SAML Authentication Handler which should support SAML Logout. Any suggestions for the 3 questions mentioned above?
Thanks,
Jan
Views
Replies
Total Likes
Here is a community article on AEM/SAML.
https://helpx.adobe.com/experience-manager/kb/saml-demo.html
Also - please open a ticket for this use case. There is missing documentation in core AEM docs. You can open a ticket here:
https://helpx.adobe.com/marketing-cloud/contact-support.html
Views
Replies
Total Likes
Hello,
Were you able to resolve this issue? We are having the same problem and would like to know if you can share me the details for the fix.
Thanks,
GVK
Views
Replies
Total Likes
Yes! Apparently you need to add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from. When the path falls under the configured path of the SAML Authentication Handler, then the SAML Logout URL will be called by AEM. So, for example, if you have a SAML Authentication Handler configured with path=/content/samltest and if you then call /system/sling/logout.html?resource=/content/samltest/doesntmatter then AEM will see that /content/samtest/doesntmatter falls under /content/samltest and so it will call the SAML Logout URL configured for this. This way AEM actually supports having different sites use different SAML configurations. If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /.
Regards,
Jan
Is there any documentation on the solution. If you could advise how you have added the resource parameter, it would benefit most of us.
Views
Replies
Total Likes
I tried to configure this but after clicking on logout url it is not redirecting to logout url. I am using ootb saml authentication for 6.5+ publish instance and login is working fine. Am i missing out with some configuration
Views
Replies
Total Likes
For documentation purpose:
You get this error if the url /system/sling/logout is not whitelisted in dispatcher.
Views
Replies
Total Likes
Hi Jan,
If the "authentication-service" user doesn't have a keystore defined on it (even if you are not using encryption) then the SAML handler will skip logout. To check if this is the case, do the following:
If that doesn't fix the issue then:
Thanks,
Andrew
Thanks for the response Jan!
I'm looking for this scenario in Author. Mostly authors will logout from dam or sites where the logout will be invoked by clicking on user (top right) icon.
In this case do we need to any customization by overlaying the components so that URL will be updated with resource query params?
Thanks,
GVK!
Views
Replies
Total Likes
Hi Gunalan,
If you just want to use SAML for the Author then everything should just work out of the box, since the SAML path will be /.
Regards,
Jan
Views
Replies
Total Likes
Well it isnt working as it should, is it? When we say out of the box it should work, it should work for any path we configure as it is not hardcoded. When the path is configurable in out of the box, the logout should also work for the path we configure.
Again, configuring / doesnt really make sense as it makes admin pages not accessible with IP address.
Such trivial issues for a common usecase is probably unexpected from such a serious commercial product.
Views
Likes
Replies