Hi,
We are facing an issue with SSO implementation using SAML 2.0 Authentication Handler in AEM. User logs in access few secure pages, logs out of the application, and then again tries to access secure pages or refreshes secure page for example User Profile page with user data then user is not asked to login but is directly shown the page.
If the pages are accessed using "?" at the end or with browser developer tools(F12) is open then login screen comes up. We made sure to not cache secure pages at CDN and Dispatcher level.
Are we missing anything here? Is there anyway we can make sure(at AEM end) logout is working as expected i.e. any can we check if any cookie gets created after successful login and removed after successful logout?
Any help on this is highly appreciated.
Thanks,
Srikanth Pogula.
Solved! Go to Solution.
Views
Replies
Total Likes
Hi Srikanth,
when you have private data like this, make sure not to cache the page. From what you wrote, you have three levels of caching:
1. Dispatcher
2. CDN
3. Browser-Cache
make sure that neither layer caches the "mypage".
If neither layer caches, all requests are served by the AEM Publish system.
On the publish System you need to configure "mypage" as not being accessible by anonymous - but only by the logged in user - use ACLs or CUGs here.
mypage then must be covered by the SAML authentication service.
So - next time an unauthenticated user accesses mypage, Sling realizes that the user must authenticate. It looks for authentication handlers and finds the SAML service, which then performs the redirect to the SSO page.
EDIT:
If that works, but you have performance issues, you can implement Permission Sensitive Caching as described here:
https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/configuring/permissio...
-ash
Hi Srikanth,
mAyse what you see is the result of the browsers cache. You should see that, when you request the page with the browser‘s debug console open (in the „network“ tab). If it comes from the browser cache it should say something like „cached“ or “local“.
Depending on the security requirements caching in the browser might not be wanted. In this case you would set HTTP-headers to tell the browser not to cache.
Here is an article describing how you can control caching:
Hard to say where you have to set the headers. In a simple setup you do that (rule-based) in the Dispatcher. But you mentioned a CDN - so it might be that you need to configure browser caching in the CDN‘s edge-servers. Sometimes you set the headers in the Apache and tell the CDN to just respect it.. There is a multitude of options...
-achim
Views
Replies
Total Likes
Hi -ash,
Thanks for your suggestion, we are checking by making above configurations at CDN level. For a brief period issue appeared to be solved but we are facing the same issue again. Not sure what went wrong again. Will continue testing and keep you posted on the status.
Also one more question similar to above, where we have secure page(my-profile.html) with form where user details are displayed if logged in. Even after user logs out and tries to access my-profile.html directly, user details are still visible, ideally SAML Handler must be invoked since it falls under the subtree of secure pages.
We are displaying user details in my-profile.html by accessing user data from http session(user details like first name, last name are set in http session in SAMLPostProcessor).
Can you please let us me know if you see any issue with the above approach?
Views
Replies
Total Likes
Hi Srikanth,
when you have private data like this, make sure not to cache the page. From what you wrote, you have three levels of caching:
1. Dispatcher
2. CDN
3. Browser-Cache
make sure that neither layer caches the "mypage".
If neither layer caches, all requests are served by the AEM Publish system.
On the publish System you need to configure "mypage" as not being accessible by anonymous - but only by the logged in user - use ACLs or CUGs here.
mypage then must be covered by the SAML authentication service.
So - next time an unauthenticated user accesses mypage, Sling realizes that the user must authenticate. It looks for authentication handlers and finds the SAML service, which then performs the redirect to the SSO page.
EDIT:
If that works, but you have performance issues, you can implement Permission Sensitive Caching as described here:
https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/configuring/permissio...
-ash
Thanks -ash for the information,we were able to fix the issue with configurations at CDN end.
Views
Replies
Total Likes
@srikanthp689160 we are facing same caching issues with SAML and needs urgent fix can you please help here to understand what all configuration you have done to fix this issue.
Views
Replies
Total Likes
Views
Likes
Replies