Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

SAML Log Out AEM as a Cloud Service

Avatar

Level 2

Hi all,


we have successfully configured SAML authentication by following the instructions: SAML 2.0 on AEM as a Cloud Service - Adobe Experience Manager

 

Now we're trying to configure the log out as well, but we can't find any documentation about it. Can anyone point us in the right direction?

 

Thanks,

 

Mike

1 Accepted Solution

Avatar

Correct answer by
Community Advisor
10 Replies

Avatar

Community Advisor

@Mike_eggs you can write one servlet which will be called on clicking the logout button.
In that servlet you can read login-token and make its max age to zero.

 

Cookie loginCookie = request.getCookie("login-token");
            
            if(null != loginCookie) {
                loginCookie.setMaxAge(0);
                loginCookie.setPath("/");
                loginCookie.setValue("");
                response.addCookie(loginCookie);
            }

 

you can then redirect the response to where ever you want to

response.sendRedirect(<redirectLogoutURL>);

Hope this helps,
Krishna

 

Avatar

Level 2

Thank you Krishna!

However, I hoped that AEM would provide a standard functionality for the SAML log out. Do you really have to implement the SLO yourself?

 

My expectation would be that we set the Log Out URL in the SAML Authentication Handler (/apps/ssp/osgiconfig/config.publish/com.adobe.granite.auth.saml.SamlAuthenticationHandler_saml.cfg) and then just call one "Special-URL",  so that AEM performs the SAML log out automaticaly.


Anyone from Adobe here?

 

Thanks,

 

Mike

Avatar

Community Advisor

you need to provide the idp logout url in the configuration

arunpatidar_0-1677774650506.png

 

example for Azure AD logout url

logoutUrl="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"



Arun Patidar

Avatar

Level 2

Hi Arun!
Thanks for the input! This sounds good.

I will add the following configuration to our SAML Authentication Handler:
"logoutUrl":  "$[env:SAML_LOG_OUT_URL;default=https://a7tv3j3qn.accounts.ondemand.com/saml2/idp/slo/a7tv3j3qn.accounts.ondemand.com",


Do you know, what URL I have to call to initiate the log out?

Mike

Avatar

Correct answer by
Community Advisor

Avatar

Community Advisor

In Author, It is added to the logout button automatically.

but in publisher if you have custom login/logout button, this URL must be added to that logout link/button.



Arun Patidar

Avatar

Level 2

I tried to implement the suggestion, but unfortunately it doesn't work:

 

  1. User clicks clicking the Log Out Button (system/sling/logout.html?resource=/content/startpage.html)
  2. AEM send a 302 redirect to  /content/startpage.htm
  3. AEM returns a 403 for /content/startpage.htm
  4. User is not Log Out from the IDP

Mike

 

Avatar

Level 2

Hi Krishna,

 

After re-thinking your suggestion, I don't think this is a possible way to solve the problem: Since the login cookie was set by the IDP, I probably can't delete it from a servlet running in AEM (different URL).

 

Mike

Avatar

Community Advisor

@Mike_eggs Once after you login into your application, can you open dev tools in your browser and go to application tab -> cookies and look you should be seeing login-token.

krishna_sai_0-1677765331489.png

 


Try deleting it in the browser itself and reload the page it should be taking you to login page again.
If that works the same thing is being implemented programatically when you click on logout button.
Krishna

Avatar

Level 2

Hi Krishna,

 

thanks for your input, but there is no login-token, there is no cookie from abc.adobeaemcloud.com at all. Authentification is done by an SAML IDP and this service sets the login cookies from another domain (xyz.accounts.ondemand.com). That's why I have no access from AEM to this cookies.

 

Mike