Expand my Community achievements bar.

SOLVED

LOGOUT FUNCTION DOES NOT INVALIDATE TOKEN

Avatar

Level 4

Hi All,

We are facing an issue with the login-token, where the old or previous login-token are working for the new login on the same day.

1.Log in as testuser@gmail.com.
2.
Take note of the login-token session cookie.
3.
Log out.
4.Logged in again and changed the login-token with the old token which i got from step 2. All pages are still coming. But the original flow should redirect the page to login page

As checked in my AEM local instance, after changing the login-token to the previous one, the session is getting logout and redirecting to login page. But i cannot able to reproduce the redirect flow in our higher environments. 

So i am suspecting it may be changes required from dispatcher side.

Can anyone please suggest what i need to do for the above scenario to work perfectly.

 

 

Thanks & Regards,

Bhavani Bharanidharan

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@BhavaniBharani - Ensure these 2 properties are populated correctly where logoutUrl should be provided by your IdP to invalidate the session.

Jineet_Vora_0-1711027967585.png


You can also refer to this doc here - https://aemblogger.medium.com/saml-2-0-authentication-in-aem-using-microsoft-azure-active-directory-...

View solution in original post

6 Replies

Avatar

Community Advisor

@BhavaniBharani - If I understand this correctly then the issue could be that the SAML authentication handler may not be logging out (invalidating) the requests. Please ensure that 'handleLogout' and 'logoutUrl' is specified in your AEM SAML authentication handler - <AEM_HOST>/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler

For reference: https://aemblogger.medium.com/saml-2-0-authentication-in-aem-using-microsoft-azure-active-directory-...

Avatar

Level 4

Hi @Jineet_Vora ,

Thanks for your response first. I can able to see the logout url by debugging the code.

but can you please specify what the handleLogout means here?

 

Regards,

Bhavani Bharanidharan

Avatar

Correct answer by
Community Advisor

@BhavaniBharani - Ensure these 2 properties are populated correctly where logoutUrl should be provided by your IdP to invalidate the session.

Jineet_Vora_0-1711027967585.png


You can also refer to this doc here - https://aemblogger.medium.com/saml-2-0-authentication-in-aem-using-microsoft-azure-active-directory-...

Avatar

Community Advisor

@BhavaniBharani - This is in assumption that you are using AEM's OOTB SAML authentication handler.

Avatar

Community Advisor

@BhavaniBharani , Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Avatar

Level 4

Hi @MayurSatav ,

I m still facing the issue. if anyone knows how to invalidate login-token on the server side once the logout button is clicked. I tried session.invalidate() in my logout servlet, but this didn't helped.

 

 

Ragards,

Bhavani Bharanidharan