We are facing an issue with SSO implementation using SAML 2.0 Authentication Handler in AEM. User logs in access few secure pages, logs out of the application, and then again tries to access secure pages or refreshes secure page for example User Profile page with user data then user is not asked to login but is directly shown the page.
If the pages are accessed using "?" at the end or with browser developer tools(F12) is open then login screen comes up. We made sure to not cache secure pages at CDN and Dispatcher level.
Are we missing anything here? Is there anyway we can make sure(at AEM end) logout is working as expected i.e. any can we check if any cookie gets created after successful login and removed after successful logout?
when you have private data like this, make sure not to cache the page. From what you wrote, you have three levels of caching:
make sure that neither layer caches the "mypage".
If neither layer caches, all requests are served by the AEM Publish system.
On the publish System you need to configure "mypage" as not being accessible by anonymous - but only by the logged in user - use ACLs or CUGs here.
mypage then must be covered by the SAML authentication service.
So - next time an unauthenticated user accesses mypage, Sling realizes that the user must authenticate. It looks for authentication handlers and finds the SAML service, which then performs the redirect to the SSO page.
Thanks for your suggestion, we are checking by making above configurations at CDN level. For a brief period issue appeared to be solved but we are facing the same issue again. Not sure what went wrong again. Will continue testing and keep you posted on the status.
Also one more question similar to above, where we have secure page(my-profile.html) with form where user details are displayed if logged in. Even after user logs out and tries to access my-profile.html directly, user details are still visible, ideally SAML Handler must be invoked since it falls under the subtree of secure pages.
We are displaying user details in my-profile.html by accessing user data from http session(user details like first name, last name are set in http session in SAMLPostProcessor).
Can you please let us me know if you see any issue with the above approach?
mAyse what you see is the result of the browsers cache. You should see that, when you request the page with the browser‘s debug console open (in the „network“ tab). If it comes from the browser cache it should say something like „cached“ or “local“.
Depending on the security requirements caching in the browser might not be wanted. In this case you would set HTTP-headers to tell the browser not to cache.
Here is an article describing how you can control caching:
Hard to say where you have to set the headers. In a simple setup you do that (rule-based) in the Dispatcher. But you mentioned a CDN - so it might be that you need to configure browser caching in the CDN‘s edge-servers. Sometimes you set the headers in the Apache and tell the CDN to just respect it.. There is a multitude of options...