Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

logout service in saml 2.0

Avatar

Level 2
Level 2
10/15/15 7:27:11 PM

Hello,

I enabled the saml2.0 authentication with handle logout service in AEM, it works well for user authentication, but I found a sign out problem. When I tried to sign out from AEM, it will redirect me to the logout url page which I configured in IDP, however i don't think it is a real sign out, because when I close the browser and open a new browser, it doesn't require me to provide the username/password again even through the IDP login page displayed, it seems like browser will remember my credential in the cookie? 

How can I resolve this problem? Do I need to write some code to handle this by myself or there is some code can be reused in AEM or need IDP to set expire cookie time?  I want to have this function: Once user click sign out in AEM, AEM will do the real signout (remove session or cookie?) so that user need to provide username/password for saml authentication again. It seems like enable the saml in AEM will break the original OOTB sign out function.

Owen Wang

Views

3.1K

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:27:11 PM

michaelowenwang wrote...

Hi Sham,

Thank you for explanation, as I am not using the encryption, so sp2 will not fix my problem.

So here is a question: when user click logout link, AEM does clears the cookie first right? if it is so, I can't do the real sign out if IDP doesn't clears related cookies, right? That required cookies cleared on both side to make it work, not only required to clear cookie on AEM side?

Owen Wang

 


It clears cookie first in aem & immediately send signout request to idp. that's where idp clears everything.  If you configured correctly with this everything is cleared. If wrong configuration what happens is aem clears cookie & send request to idp.  idp does not logout & redirect backs to aem in that case aem create a cookie again & there by you do not logout.

View solution in original post

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
7 Replies

Avatar

Level 10
Level 10
10/15/15 7:27:11 PM

No need to write code just need to configure it. Before answering let me know

which idp are you using?  Are you encrypting the assertion?  Are you using sp2?

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:27:11 PM

Hi Sham

Glad to get your feedback.

We are using a existing ADFS which belong to our client. No encrypting assertion. What's the sp2, you mean service pack 2? sp2 has been released already? 

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
10/15/15 7:27:11 PM

michaelowenwang wrote...

Hi Sham

Glad to get your feedback.

We are using a existing ADFS which belong to our client. No encrypting assertion. What's the sp2, you mean service pack 2? sp2 has been released already? 

 


It's my pleasure michael. SP2 is GA now http://docs.adobe.com/docs/en/aem/6-0/release-notes-sp2.html

Without encrypting assertion you need to take backend root. The steps are

1)   Configure the logout url in felix console

2)    Modify metadata file to have SingleLogoutService Binding.  In this binding configure the location pointing to logout url of idp.

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:27:11 PM

Hi Sham,

Thanks for you information. is this fixed in sp2? sp1 still have this problem, right? I am not clear about the 2)

Where should I modify the metadata file to have SingleLogoutServiceBinding? It's configured in IDP side, right?

Our client ADFS has a logout url provided for us, but it seems like ADFS doesn't remove/clear the session/cookie, need AEM to do that, right?

Owen Wang

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
10/15/15 7:27:11 PM

michaelowenwang wrote...

Hi Sham,

Thanks for you information. is this fixed in sp2? sp1 still have this problem, right? I am not clear about the 2)

Where should I modify the metadata file to have SingleLogoutServiceBinding? It's configured in IDP side, right?

Our client ADFS has a logout url provided for us, but it seems like ADFS doesn't remove/clear the session/cookie, need AEM to do that, right?

Owen Wang

 

While logout aem use to decrypt already decrypted saml resonse hence logout was failing. This is fixed in sp2. This applies only if you are using assertion encryption.

yes SingleLogoutServiceBinding configured at idp side.

The way it works is when you click logout first aem cleares the cookie and then pass saml post request to idp.  At idp you configured SingleLogoutServiceBinding location that url will be called which clears idp related cookies & it does not have to clear aem cookies because it is already cleared by aem logout before calling idp.


 

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
10/15/15 7:27:11 PM

Hi Sham,

Thank you for explanation, as I am not using the encryption, so sp2 will not fix my problem.

So here is a question: when user click logout link, AEM does clears the cookie first right? if it is so, I can't do the real sign out if IDP doesn't clears related cookies, right? That required cookies cleared on both side to make it work, not only required to clear cookie on AEM side?

Owen Wang

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:27:11 PM

michaelowenwang wrote...

Hi Sham,

Thank you for explanation, as I am not using the encryption, so sp2 will not fix my problem.

So here is a question: when user click logout link, AEM does clears the cookie first right? if it is so, I can't do the real sign out if IDP doesn't clears related cookies, right? That required cookies cleared on both side to make it work, not only required to clear cookie on AEM side?

Owen Wang

 


It clears cookie first in aem & immediately send signout request to idp. that's where idp clears everything.  If you configured correctly with this everything is cleared. If wrong configuration what happens is aem clears cookie & send request to idp.  idp does not logout & redirect backs to aem in that case aem create a cookie again & there by you do not logout.

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
How to mask the image in AEM?

Views

6

Likes

0

Replies

0
Pipeline-free URL Redirects is not working in AEM Cloud Dispatcher

Views

68

Likes

0

Replies

2
Using Environment Variables in OSGi configurations as part of String

Views

59

Likes

0

Replies

2
Not able to add external URL in Content Fragment New Editor

Views

55

Likes

0

Replies

1
Page Published details getting updated in Timelines of Page edit after content updated on Page AEM6.5 on-Premise

Views

82

Likes

0

Replies

4