Adobe Experience Manager Sites & More

BhavaniBharani · 3/21/24

Hi All,

We are facing an issue with the login-token, where the old or previous login-token are working for the new login on the same day.

1.Log in as testuser@gmail.com.
2. Take note of the login-token session cookie.
3. Log out.
4.Logged in again and changed the login-token with the old token which i got from step 2. All pages are still coming. But the original flow should redirect the page to login page

As checked in my AEM local instance, after changing the login-token to the previous one, the session is getting logout and redirecting to login page. But i cannot able to reproduce the redirect flow in our higher environments.

So i am suspecting it may be changes required from dispatcher side.

Can anyone please suggest what i need to do for the above scenario to work perfectly.

Thanks & Regards,

Bhavani Bharanidharan

Jineet_Vora · 3/21/24

@BhavaniBharani - Ensure these 2 properties are populated correctly where logoutUrl should be provided by your IdP to invalidate the session.

You can also refer to this doc here - https://aemblogger.medium.com/saml-2-0-authentication-in-aem-using-microsoft-azure-active-directory-...

View solution in original post

Jineet_Vora · 3/21/24

@BhavaniBharani - If I understand this correctly then the issue could be that the SAML authentication handler may not be logging out (invalidating) the requests. Please ensure that 'handleLogout' and 'logoutUrl' is specified in your AEM SAML authentication handler - <AEM_HOST>/system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler

For reference: https://aemblogger.medium.com/saml-2-0-authentication-in-aem-using-microsoft-azure-active-directory-...

BhavaniBharani · 3/21/24

Hi @Jineet_Vora ,

Thanks for your response first. I can able to see the logout url by debugging the code.

but can you please specify what the handleLogout means here?

Regards,

Bhavani Bharanidharan

Jineet_Vora · 3/21/24

@BhavaniBharani - Ensure these 2 properties are populated correctly where logoutUrl should be provided by your IdP to invalidate the session.

You can also refer to this doc here - https://aemblogger.medium.com/saml-2-0-authentication-in-aem-using-microsoft-azure-active-directory-...

Jineet_Vora · 3/21/24

@BhavaniBharani - This is in assumption that you are using AEM's OOTB SAML authentication handler.

MayurSatav · 3/25/24

@BhavaniBharani , Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

BhavaniBharani · 3/29/24

Hi @MayurSatav ,

I m still facing the issue. if anyone knows how to invalidate login-token on the server side once the logout button is clicked. I tried session.invalidate() in my logout servlet, but this didn't helped.

Ragards,

Bhavani Bharanidharan

Adobe Experience Manager Sites & More

LOGOUT FUNCTION DOES NOT INVALIDATE TOKEN

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe