Hi all,
we have successfully configured SAML authentication by following the instructions: SAML 2.0 on AEM as a Cloud Service - Adobe Experience Manager
Now we're trying to configure the log out as well, but we can't find any documentation about it. Can anyone point us in the right direction?
Thanks,
Mike
Solved! Go to Solution.
Views
Replies
Total Likes
@Mike_eggs Look at this thread hope this helps
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentic...
Krishna
@Mike_eggs you can write one servlet which will be called on clicking the logout button.
In that servlet you can read login-token and make its max age to zero.
Cookie loginCookie = request.getCookie("login-token");
if(null != loginCookie) {
loginCookie.setMaxAge(0);
loginCookie.setPath("/");
loginCookie.setValue("");
response.addCookie(loginCookie);
}
you can then redirect the response to where ever you want to
Thank you Krishna!
However, I hoped that AEM would provide a standard functionality for the SAML log out. Do you really have to implement the SLO yourself?
My expectation would be that we set the Log Out URL in the SAML Authentication Handler (/apps/ssp/osgiconfig/config.publish/com.adobe.granite.auth.saml.SamlAuthenticationHandler_saml.cfg) and then just call one "Special-URL", so that AEM performs the SAML log out automaticaly.
Anyone from Adobe here?
Thanks,
Mike
you need to provide the idp logout url in the configuration
example for Azure AD logout url
logoutUrl="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"
Hi Arun!
Thanks for the input! This sounds good.
I will add the following configuration to our SAML Authentication Handler:
"logoutUrl": "$[env:SAML_LOG_OUT_URL;default=https://a7tv3j3qn.accounts.ondemand.com/saml2/idp/slo/a7tv3j3qn.accounts.ondemand.com",
Do you know, what URL I have to call to initiate the log out?
Mike
@Mike_eggs Look at this thread hope this helps
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentic...
Krishna
In Author, It is added to the logout button automatically.
but in publisher if you have custom login/logout button, this URL must be added to that logout link/button.
I tried to implement the suggestion, but unfortunately it doesn't work:
Mike
Hi Krishna,
After re-thinking your suggestion, I don't think this is a possible way to solve the problem: Since the login cookie was set by the IDP, I probably can't delete it from a servlet running in AEM (different URL).
Mike
@Mike_eggs Once after you login into your application, can you open dev tools in your browser and go to application tab -> cookies and look you should be seeing login-token.
Try deleting it in the browser itself and reload the page it should be taking you to login page again.
If that works the same thing is being implemented programatically when you click on logout button.
Krishna
Hi Krishna,
thanks for your input, but there is no login-token, there is no cookie from abc.adobeaemcloud.com at all. Authentification is done by an SAML IDP and this service sets the login cookies from another domain (xyz.accounts.ondemand.com). That's why I have no access from AEM to this cookies.
Mike
Views
Likes
Replies