SAML Authentication - Cache issue | Community
Skip to main content
srikanthp689160
srikanthp689160
October 21, 2019
Solved

SAML Authentication - Cache issue

  • October 21, 2019
  • 4 replies
  • 6672 views

Hi,

We are facing an issue with SSO implementation using SAML 2.0 Authentication Handler in AEM. User logs in access few secure pages, logs out of the application, and then again tries to access secure pages or refreshes secure page for example User Profile page with user data then user is not asked to login but is directly shown the page.

If the pages are accessed using "?" at the end or with browser developer tools(F12) is open then login screen comes up. We made sure to not cache secure pages at CDN and Dispatcher level.

Are we missing anything here? Is there anyway we can make sure(at AEM end) logout is working as expected i.e. any can we check if any cookie gets created after successful login and removed after successful logout?

Any help on this is highly appreciated.

Thanks,

Srikanth Pogula.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ---achim

Hi Srikanth,

 

when you have private data like this, make sure not to cache the page. From what you wrote, you have three levels of caching:

 

1. Dispatcher

2. CDN

3. Browser-Cache

 

make sure that neither layer caches the "mypage".

 

If neither layer caches, all requests are served by the AEM Publish system.

 

On the publish System you need to configure "mypage" as not being accessible by anonymous - but only by the logged in user - use ACLs or CUGs here.

 

mypage then must be covered by the SAML authentication service.

 

So - next time an unauthenticated user accesses mypage, Sling realizes that the user must authenticate. It looks for authentication handlers and finds the SAML service, which then performs the redirect to the SSO page.


EDIT:

If that works, but you have performance issues, you can implement  Permission Sensitive Caching as described here:

https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/configuring/permissions-cache

-ash

 

4 replies

-
Adobe Employee
---achimAdobe Employee
Adobe Employee
October 21, 2019

Hi Srikanth,

mAyse what you see is the result of the browsers cache. You should see that, when you request the page with the browser‘s debug console open (in the „network“ tab). If it comes from the browser cache it should say something like „cached“ or “local“.

Depending on the security requirements caching in the browser might not be wanted. In this case you would set HTTP-headers to tell the browser not to cache.

Here is an article describing how you can control caching:

Cache-Control - HTTP | MDN

Hard to say where you have to set the headers. In a simple setup you do that (rule-based) in the Dispatcher. But you mentioned a CDN - so it might be that you need to configure browser caching in the CDN‘s edge-servers. Sometimes you set the headers in the Apache and tell the CDN to just respect it.. There is a multitude of options...

-achim

srikanthp689160
srikanthp689160Author
October 24, 2019

Hi -ash,

Thanks for your suggestion, we are checking by making above configurations at CDN level. For a brief period issue appeared to be solved but we are facing the same issue again. Not sure what went wrong again. Will continue testing and keep you posted on the status.

Also one more question similar to above, where we have secure page(my-profile.html) with form where user details are displayed if logged in. Even after user logs out and tries to access my-profile.html directly, user details are still visible, ideally SAML Handler must be invoked since it falls under the subtree of secure pages.

We are displaying user details in my-profile.html by accessing user data from http session(user details like first name, last name are set in http session in SAMLPostProcessor).

Can you please let us me know if you see any issue with the above approach?

-
Adobe Employee
---achimAdobe EmployeeAccepted solution
Adobe Employee
October 24, 2019

Hi Srikanth,

 

when you have private data like this, make sure not to cache the page. From what you wrote, you have three levels of caching:

 

1. Dispatcher

2. CDN

3. Browser-Cache

 

make sure that neither layer caches the "mypage".

 

If neither layer caches, all requests are served by the AEM Publish system.

 

On the publish System you need to configure "mypage" as not being accessible by anonymous - but only by the logged in user - use ACLs or CUGs here.

 

mypage then must be covered by the SAML authentication service.

 

So - next time an unauthenticated user accesses mypage, Sling realizes that the user must authenticate. It looks for authentication handlers and finds the SAML service, which then performs the redirect to the SSO page.


EDIT:

If that works, but you have performance issues, you can implement  Permission Sensitive Caching as described here:

https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/configuring/permissions-cache

-ash

 

    srikanthp689160
    srikanthp689160Author
    October 25, 2019

    Thanks -ash for the information,we were able to fix the issue with configurations at CDN end.

    P
    pavaniannem
    July 11, 2024

    @srikanthp689160 we are facing same caching issues with SAML and needs urgent fix can you please help here to understand what all configuration you  have done to fix this issue.

    Terms & ConditionsAccessibility statement

    Loading footer...