Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

How to make SAML Authentication Handler handle logout?

Avatar

Level 2

Hi,

We're using the SAML Authentication Handler in AEM6 SP2 and this is working fine for logging in.  We've also checked the "Handle Logout" option and filled in the "Logout URL" of our IdP. However, when we call /system/sling/logout.html there does not seem to be a call to the IdP to the logout URL.  So I have a few questions about this:

  1. Is it correct to do a HTTP GET request to /system/sling/logout.html to initiate the SAML logout flow?  Or is there another URL that should be used for this?
  2. Is it correct that the actual SAML logout request is supposed to happen in the user's browser?  Or is this done server-side by AEM (AEM calling IdP directly)?
  3. Is there some logging available in AEM somewhere to debug this SAML flow?  It would be good if we could see in a debug log whether the SAML Authentication Handler is actually trying to handle the logout or not...

Many thanks,
Jan

1 Accepted Solution

Avatar

Correct answer by
Level 2

Yes!  Apparently you need to add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from.  When the path falls under the configured path of the SAML Authentication Handler, then the SAML Logout URL will be called by AEM.  So, for example, if you have a SAML Authentication Handler configured with path=/content/samltest and if you then call /system/sling/logout.html?resource=/content/samltest/doesntmatter then AEM will see that /content/samtest/doesntmatter falls under /content/samltest and so it will call the SAML Logout URL configured for this.  This way AEM actually supports having different sites use different SAML configurations.  If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /. 

Regards,

Jan

View solution in original post

12 Replies

Avatar

Administrator

HI jdelannoy

Please go through the following article covering both local and global logout process.

Link:-  http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-sso.html

I hope this would help you in answering your questions partially.

Thanks and Regards

Kautuk Sahni



Kautuk Sahni

Avatar

Level 2

Hi Kautuk,

I've tried the URLs mentioned in the article (/<context>/saml/logout and /j_logout) but none of them work.  Note that we're not using Spring here, we're just trying to use the AEM out-of-the-box SAML Authentication Handler which should support SAML Logout.  Any suggestions for the 3 questions mentioned above?

Thanks,
Jan

Avatar

Level 10

Here is a community article on AEM/SAML. 

https://helpx.adobe.com/experience-manager/kb/saml-demo.html

Also - please open a ticket for this use case. There is missing documentation in core AEM docs. You can open a ticket here: 

https://helpx.adobe.com/marketing-cloud/contact-support.html

Avatar

Level 3

Hello,

Were you able to resolve this issue? We are having the same problem and would like to know if you can share me the details for the fix.

Thanks,

GVK

Avatar

Correct answer by
Level 2

Yes!  Apparently you need to add a request parameter "resource" to the logout URL with the path of the page you're trying to log out from.  When the path falls under the configured path of the SAML Authentication Handler, then the SAML Logout URL will be called by AEM.  So, for example, if you have a SAML Authentication Handler configured with path=/content/samltest and if you then call /system/sling/logout.html?resource=/content/samltest/doesntmatter then AEM will see that /content/samtest/doesntmatter falls under /content/samltest and so it will call the SAML Logout URL configured for this.  This way AEM actually supports having different sites use different SAML configurations.  If you don't provide the resource request parameter then AEM will search for an SAML authentication handler configured for /. 

Regards,

Jan

Avatar

Level 2

Is there any documentation on the solution. If you could advise how you have added the resource parameter, it would benefit most of us.

Avatar

Level 1

I tried to configure this but after clicking on logout url it is not redirecting to logout url. I am using ootb saml authentication for 6.5+ publish instance and login is working fine. Am i missing out with some configuration

kritika1105355_0-1640666485764.png

 

Avatar

Level 1

For documentation purpose:

You get this error if the url /system/sling/logout is not whitelisted in dispatcher.

Avatar

Employee

Hi Jan,

If the "authentication-service" user doesn't have a keystore defined on it (even if you are not using encryption) then the SAML handler will skip logout.  To check if this is the case, do the following:

  1. Go to http://aem-host:port/libs/granite/security/content/useradmin.html.
  2. Click on the authentication-service user.
  3. Under Account Settings click Create KeyStore and create an empty keystore (otherwise if it says Manage KeyStore) then this isn't the cause of the issue.

If that doesn't fix the issue then:

  1. Go to http://aem-host:port/system/console/slinglog.
  2. Click Add New Logger.
    • Log File: logs/saml.log
    • Loggers:
      • org.apache.sling.auth
      • com.adobe.granite.auth.saml
  3. Test logout again and see if there are any log messages during logout that show what the cause is.

Thanks,

Andrew

Avatar

Level 3

Thanks for the response Jan!

I'm looking for this scenario in Author. Mostly authors will logout from dam or sites where the logout will be invoked by clicking on user (top right) icon.

In this case do we need to any customization by overlaying the components so that URL will be updated with resource query params?

Thanks,

GVK!

Avatar

Level 2

Hi Gunalan,

If you just want to use SAML for the Author then everything should just work out of the box, since the SAML path will be /.

Regards,

Jan

Avatar

Level 2

Well it isnt working as it should, is it? When we say out of the box it should work, it should work for any path we configure as it is not hardcoded. When the path is configurable in out of the box, the logout should also work for the path we configure.

 

Again, configuring / doesnt really make sense as it makes admin pages not accessible with IP address. 

 

Such trivial issues for a common usecase is probably unexpected from such a serious commercial product.