Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

logout service in saml 2.0

Avatar

Level 2

Hello,

I enabled the saml2.0 authentication with handle logout service in AEM, it works well for user authentication, but I found a sign out problem. When I tried to sign out from AEM, it will redirect me to the logout url page which I configured in IDP, however i don't think it is a real sign out, because when I close the browser and open a new browser, it doesn't require me to provide the username/password again even through the IDP login page displayed, it seems like browser will remember my credential in the cookie? 

How can I resolve this problem? Do I need to write some code to handle this by myself or there is some code can be reused in AEM or need IDP to set expire cookie time?  I want to have this function: Once user click sign out in AEM, AEM will do the real signout (remove session or cookie?) so that user need to provide username/password for saml authentication again. It seems like enable the saml in AEM will break the original OOTB sign out function.

Owen Wang

1 Accepted Solution

Avatar

Correct answer by
Level 10

michaelowenwang wrote...

Hi Sham,

Thank you for explanation, as I am not using the encryption, so sp2 will not fix my problem.

So here is a question: when user click logout link, AEM does clears the cookie first right? if it is so, I can't do the real sign out if IDP doesn't clears related cookies, right? That required cookies cleared on both side to make it work, not only required to clear cookie on AEM side?

Owen Wang

 


It clears cookie first in aem & immediately send signout request to idp. that's where idp clears everything.  If you configured correctly with this everything is cleared. If wrong configuration what happens is aem clears cookie & send request to idp.  idp does not logout & redirect backs to aem in that case aem create a cookie again & there by you do not logout.

View solution in original post

7 Replies

Avatar

Level 10

No need to write code just need to configure it. Before answering let me know

which idp are you using?  Are you encrypting the assertion?  Are you using sp2?

Avatar

Level 2

Hi Sham

Glad to get your feedback.

We are using a existing ADFS which belong to our client. No encrypting assertion. What's the sp2, you mean service pack 2? sp2 has been released already? 

Avatar

Level 10

michaelowenwang wrote...

Hi Sham

Glad to get your feedback.

We are using a existing ADFS which belong to our client. No encrypting assertion. What's the sp2, you mean service pack 2? sp2 has been released already? 

 


It's my pleasure michael. SP2 is GA now http://docs.adobe.com/docs/en/aem/6-0/release-notes-sp2.html

Without encrypting assertion you need to take backend root. The steps are

1)   Configure the logout url in felix console

2)    Modify metadata file to have SingleLogoutService Binding.  In this binding configure the location pointing to logout url of idp.

Avatar

Level 2

Hi Sham,

Thanks for you information. is this fixed in sp2? sp1 still have this problem, right? I am not clear about the 2)

Where should I modify the metadata file to have SingleLogoutServiceBinding? It's configured in IDP side, right?

Our client ADFS has a logout url provided for us, but it seems like ADFS doesn't remove/clear the session/cookie, need AEM to do that, right?

Owen Wang

Avatar

Level 10

michaelowenwang wrote...

Hi Sham,

Thanks for you information. is this fixed in sp2? sp1 still have this problem, right? I am not clear about the 2)

Where should I modify the metadata file to have SingleLogoutServiceBinding? It's configured in IDP side, right?

Our client ADFS has a logout url provided for us, but it seems like ADFS doesn't remove/clear the session/cookie, need AEM to do that, right?

Owen Wang

 

While logout aem use to decrypt already decrypted saml resonse hence logout was failing. This is fixed in sp2. This applies only if you are using assertion encryption.

yes SingleLogoutServiceBinding configured at idp side.

The way it works is when you click logout first aem cleares the cookie and then pass saml post request to idp.  At idp you configured SingleLogoutServiceBinding location that url will be called which clears idp related cookies & it does not have to clear aem cookies because it is already cleared by aem logout before calling idp.


 

Avatar

Level 2

Hi Sham,

Thank you for explanation, as I am not using the encryption, so sp2 will not fix my problem.

So here is a question: when user click logout link, AEM does clears the cookie first right? if it is so, I can't do the real sign out if IDP doesn't clears related cookies, right? That required cookies cleared on both side to make it work, not only required to clear cookie on AEM side?

Owen Wang

Avatar

Correct answer by
Level 10

michaelowenwang wrote...

Hi Sham,

Thank you for explanation, as I am not using the encryption, so sp2 will not fix my problem.

So here is a question: when user click logout link, AEM does clears the cookie first right? if it is so, I can't do the real sign out if IDP doesn't clears related cookies, right? That required cookies cleared on both side to make it work, not only required to clear cookie on AEM side?

Owen Wang

 


It clears cookie first in aem & immediately send signout request to idp. that's where idp clears everything.  If you configured correctly with this everything is cleared. If wrong configuration what happens is aem clears cookie & send request to idp.  idp does not logout & redirect backs to aem in that case aem create a cookie again & there by you do not logout.