Hi,We're using the SAML Authentication Handler in AEM6 SP2 and this is working fine for logging in. We've also checked the "Handle Logout" option and filled in the "Logout URL" of our IdP. However, when we call /system/sling/logout.html there does not seem to be a call to the IdP to the logout URL. So I have a few questions about this:Is it correct to do a HTTP GET request to /system/sling/logout.html to initiate the SAML logout flow? Or is there another URL that should be used for this?Is it correct that the actual SAML logout request is supposed to happen in the user's browser? Or is this done server-side by AEM (AEM calling IdP directly)?Is there some logging available in AEM somewhere to debug this SAML flow? It would be good if we could see in a debug log whether the SAML Authentication Handler is actually trying to handle the logout or not...Many thanks,Jan

Hi Jan,If the "authentication-service" user doesn't have a keystore defined on it (even if you are not using encryption) then the SAML handler will skip logout. To check if this is the case, do the following:Go to http://aem-host:port/libs/granite/security/content/useradmin.html.Click on the authentication-service user.Under Account Settings click Create KeyStore and create an empty keystore (otherwise if it says Manage KeyStore) then this isn't the cause of the issue.If that doesn't fix the issue then:Go to http://aem-host:port/system/console/slinglog.Click Add New Logger.Log File: logs/saml.logLoggers: org.apache.sling.authcom.adobe.granite.auth.samlTest logout again and see if there are any log messages during logout that show what the cause is. Thanks,Andrew

J

jdela

Solved

How to make SAML Authentication Handler handle logout?

Forum|Forum|10 years ago
October 16, 2015
8 replies
11544 views

Hi,

We're using the SAML Authentication Handler in AEM6 SP2 and this is working fine for logging in. We've also checked the "Handle Logout" option and filled in the "Logout URL" of our IdP. However, when we call /system/sling/logout.html there does not seem to be a call to the IdP to the logout URL. So I have a few questions about this:

Is it correct to do a HTTP GET request to /system/sling/logout.html to initiate the SAML logout flow? Or is there another URL that should be used for this?
Is it correct that the actual SAML logout request is supposed to happen in the user's browser? Or is this done server-side by AEM (AEM calling IdP directly)?
Is there some logging available in AEM somewhere to debug this SAML flow? It would be good if we could see in a debug log whether the SAML Authentication Handler is actually trying to handle the logout or not...

Many thanks,
Jan

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by jdela

Yes! Apparently you need to add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from. When the path falls under the configured path of the SAML Authentication Handler, then the SAML Logout URL will be called by AEM. So, for example, if you have a SAML Authentication Handler configured with path=/content/samltest and if you then call /system/sling/logout.html?resource=/content/samltest/doesntmatter then AEM will see that /content/samtest/doesntmatter falls under /content/samltest and so it will call the SAML Logout URL configured for this. This way AEM actually supports having different sites use different SAML configurations. If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /.

Regards,

Jan

kautuk_sahni

Community Manager

HI jdelannoy

Please go through the following article covering both local and global logout process.

Link:- http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-sso.html

I hope this would help you in answering your questions partially.

Thanks and Regards

Kautuk Sahni

J

jdelaAuthor

Hi Kautuk,

I've tried the URLs mentioned in the article (/<context>/saml/logout and /j_logout) but none of them work. Note that we're not using Spring here, we're just trying to use the AEM out-of-the-box SAML Authentication Handler which should support SAML Logout. Any suggestions for the 3 questions mentioned above?

Thanks,
Jan

smacdonald2008

Level 10

Here is a community article on AEM/SAML.

https://helpx.adobe.com/experience-manager/kb/saml-demo.html

Also - please open a ticket for this use case. There is missing documentation in core AEM docs. You can open a ticket here:

https://helpx.adobe.com/marketing-cloud/contact-support.html

Gunalan_V

Level 3

Hello,

Were you able to resolve this issue? We are having the same problem and would like to know if you can share me the details for the fix.

Thanks,

GVK

J

jdelaAuthorAccepted solution

Yes! Apparently you need to add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from. When the path falls under the configured path of the SAML Authentication Handler, then the SAML Logout URL will be called by AEM. So, for example, if you have a SAML Authentication Handler configured with path=/content/samltest and if you then call /system/sling/logout.html?resource=/content/samltest/doesntmatter then AEM will see that /content/samtest/doesntmatter falls under /content/samltest and so it will call the SAML Logout URL configured for this. This way AEM actually supports having different sites use different SAML configurations. If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /.

Regards,

Jan

G

guruprasadb9915

Level 2

Is there any documentation on the solution. If you could advise how you have added the resource parameter, it would benefit most of us.

akhoury

Adobe Employee

Hi Jan,

If the "authentication-service" user doesn't have a keystore defined on it (even if you are not using encryption) then the SAML handler will skip logout. To check if this is the case, do the following:

Go to http://aem-host:port/libs/granite/security/content/useradmin.html.
Click on the authentication-service user.
Under Account Settings click Create KeyStore and create an empty keystore (otherwise if it says Manage KeyStore) then this isn't the cause of the issue.

If that doesn't fix the issue then:

Go to http://aem-host:port/system/console/slinglog.
Click Add New Logger.
- Log File: logs/saml.log
- Loggers:
  - org.apache.sling.auth
  - com.adobe.granite.auth.saml
Test logout again and see if there are any log messages during logout that show what the cause is.

Thanks,

Andrew

Gunalan_V

Level 3

Thanks for the response Jan!

I'm looking for this scenario in Author. Mostly authors will logout from dam or sites where the logout will be invoked by clicking on user (top right) icon.

In this case do we need to any customization by overlaying the components so that URL will be updated with resource query params?

Thanks,

GVK!

J

jdelaAuthor

Hi Gunalan,

If you just want to use SAML for the Author then everything should just work out of the box, since the SAML path will be /.

Regards,

Jan

G

guruprasadb9915

Level 2

Well it isnt working as it should, is it? When we say out of the box it should work, it should work for any path we configure as it is not hardcoded. When the path is configurable in out of the box, the logout should also work for the path we configure.

Again, configuring / doesnt really make sense as it makes admin pages not accessible with IP address.

Such trivial issues for a common usecase is probably unexpected from such a serious commercial product.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded