Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

Initiate SAML logout request at IDP on session timeout on AEM.

Avatar

Level 1
Level 1
6/19/17 8:04:30 PM

Hi

I have to logout a user from both AEM application and SAML identity provider after session timeout on AEM. I am using "Apache Jackrabbit Oak TokenConfiguration" to set the time for session time out. But after the session time out occurs at AEM the login request is being initiated from AEM instead of logout request.

How do I achieve this?

Views

3.6K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Administrator
Administrator
6/22/17 12:57:41 AM

Did you check this post :- Re: AEM SAML integration - logout doesn't go to IDP logout URL ?

What happens here is that when the logout happens if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout, which is then handled by the SAML Auth Handler.

However when the SAML Auth Handler is not configured with "/", then it will no longer get invoked because the /system/sling/logout servlet still redirects the response to "/" and SAML is not invoked.

Solution :- AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

OR

Create an overlay for the JSP at :

/libs/cq/core/components/login/logout.jsp

In this JSP change the line below:

window.location.href = "<%= request.getContextPath() %>/system/sling/logout.html;

to

window.location.href = "<%= request.getContextPath() %>/system/sling/logout.html?resource=<the path you configured in the SAML config handler>";

This should convince the method at : https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.auth.core-1.0.6/src/main/java/org/apach..., to set the resource path instead of setting the value to "/"

// find the redirect target from the resource attribute or parameter

// falling back to the reuest context path (or /) if not set

String target = AbstractAuthenticationHandler.getLoginResource(request,

request.getContextPath());

if (target.length() == 0) {

target = "/";

}

~kautuk



Kautuk Sahni

View solution in original post

Views

2.2K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Correct answer by
Administrator
Administrator
6/22/17 12:57:41 AM

Did you check this post :- Re: AEM SAML integration - logout doesn't go to IDP logout URL ?

What happens here is that when the logout happens if we configure root path ("/") it works because the /system/sling/logout servlet redirects the response to "/" after logout, which is then handled by the SAML Auth Handler.

However when the SAML Auth Handler is not configured with "/", then it will no longer get invoked because the /system/sling/logout servlet still redirects the response to "/" and SAML is not invoked.

Solution :- AuthUtil.setLoginResourceAttribute(request, "/path-configured-in-saml-config").

OR

Create an overlay for the JSP at :

/libs/cq/core/components/login/logout.jsp

In this JSP change the line below:

window.location.href = "<%= request.getContextPath() %>/system/sling/logout.html;

to

window.location.href = "<%= request.getContextPath() %>/system/sling/logout.html?resource=<the path you configured in the SAML config handler>";

This should convince the method at : https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.auth.core-1.0.6/src/main/java/org/apach..., to set the resource path instead of setting the value to "/"

// find the redirect target from the resource attribute or parameter

// falling back to the reuest context path (or /) if not set

String target = AbstractAuthenticationHandler.getLoginResource(request,

request.getContextPath());

if (target.length() == 0) {

target = "/";

}

~kautuk



Kautuk Sahni

Views

2.2K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
5/12/21 3:13:35 AM
In response to kautuk_sahni

HI ,

I have configured logout on aem and it is successfully logging out user from aem & Okta , but after logout on Okta, okta submits a SAML Logout response to SingleLogoutService .

This service URL I gave as /content/test/utils/secure/saml_logout , but when response is posted to this endpoint from okta,  it get 500 errror in AEM as below -

 

org.apache.sling.api.resource.PersistenceException: Resource at '/content/test/utils/secure/saml_logout' is not modifiable

Please can you let me know what should be the SingleLogoutService url in AEM to receive OKTA logout response ?

 

Thanks!

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
6/27/17 10:16:34 AM

Thanks for your response Kautuk, appreciate your help.

Views

2.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
9/24/19 3:47:15 PM

Hi kautuk sahni

I am trying to setup SAML config on AEM 6.4 SP2 instance and logout functionality is not working for us. Can you please help me with the changes that needs to be done to make it work.

I am not able to find "/libs/cq/core/components/login/logout.jsp" in AEM 6.4 instance.

Thanks,

Pradeep

Views

2.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
5/12/21 3:21:04 AM

HI ,

I have configured logout on aem and it is successfully logging out user from aem & Okta , but after logout on Okta, okta submits a SAML Logout response to SingleLogoutService .

This service URL I gave as /content/test/utils/secure/saml_logout , but when response is posted to this endpoint from okta,  it get 500 errror in AEM as below -

 

org.apache.sling.api.resource.PersistenceException: Resource at '/content/test/utils/secure/saml_logout' is not modifiable

Please can you let me know what should be the SingleLogoutService url in AEM to receive OKTA logout response ?

 

Thanks!

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate