Expand my Community achievements bar.

SOLVED

Can i clear only the AEM level SAML Assertion and not the IDP SAML session.

Avatar

Level 5

Hi,

i have a use case requirement where i required to clear only the AEM related SAML Assertion and not the IDP level SAML session. is there any OOB way to achieve it. I have tried /system/sling/logout.html which shows only "session_timeout" output, but when i access any page of AEM in the same browser i can see the SAML authenticated user is still logged in.

Thanks,

KK

1 Accepted Solution

Avatar

Correct answer by
Employee

It would help if you could describe what end result you are trying to accomplish.

Based on your description, you will need to reconfigure your IDP. Because when a user logs out of AEM (and you don't have Single Logout Configured), the next request from the user will get redirected to the IDP and then the IDP response will include the assertion necessary for the user to be logged into AEM. If, in the interim, you reconfigure the IDP to no longer send the assertion to AEM, then the user won't be logged in to AEM. This may result in a redirect loop depending upon how the IDP is set up.

Regards,

Justin

View solution in original post

3 Replies

Avatar

Level 5

Hi Members,

Any inputs or suggestions.?

Avatar

Level 10

I know SAML needs to be improved in the AEM docs. Also - we will add this as a topic for AEM Ask the Experts. I have asked some Adobe ppl to look at this question. 

Avatar

Correct answer by
Employee

It would help if you could describe what end result you are trying to accomplish.

Based on your description, you will need to reconfigure your IDP. Because when a user logs out of AEM (and you don't have Single Logout Configured), the next request from the user will get redirected to the IDP and then the IDP response will include the assertion necessary for the user to be logged into AEM. If, in the interim, you reconfigure the IDP to no longer send the assertion to AEM, then the user won't be logged in to AEM. This may result in a redirect loop depending upon how the IDP is set up.

Regards,

Justin