Adobe Experience Manager Sites & More

Mike_eggs · 3/2/23

Hi all,

we have successfully configured SAML authentication by following the instructions: SAML 2.0 on AEM as a Cloud Service - Adobe Experience Manager

Now we're trying to configure the log out as well, but we can't find any documentation about it. Can anyone point us in the right direction?

Thanks,

Mike

krishna_sai · 3/2/23

@Mike_eggs Look at this thread hope this helps
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentic...

Krishna

View solution in original post

krishna_sai · 3/2/23

@Mike_eggs you can write one servlet which will be called on clicking the logout button.
In that servlet you can read login-token and make its max age to zero.

Cookie loginCookie = request.getCookie("login-token");
            
            if(null != loginCookie) {
                loginCookie.setMaxAge(0);
                loginCookie.setPath("/");
                loginCookie.setValue("");
                response.addCookie(loginCookie);
            }

you can then redirect the response to where ever you want to

response.sendRedirect(<redirectLogoutURL>);

Hope this helps,
Krishna

Mike_eggs · 3/2/23

Thank you Krishna!

However, I hoped that AEM would provide a standard functionality for the SAML log out. Do you really have to implement the SLO yourself?

My expectation would be that we set the Log Out URL in the SAML Authentication Handler (/apps/ssp/osgiconfig/config.publish/com.adobe.granite.auth.saml.SamlAuthenticationHandler_saml.cfg) and then just call one "Special-URL", so that AEM performs the SAML log out automaticaly.

Anyone from Adobe here?

Thanks,

Mike

arunpatidar · 3/2/23

you need to provide the idp logout url in the configuration

example for Azure AD logout url

logoutUrl="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

Arun Patidar

Mike_eggs · 3/2/23

Hi Arun!
Thanks for the input! This sounds good.

I will add the following configuration to our SAML Authentication Handler:
"logoutUrl": "$[env:SAML_LOG_OUT_URL;default=https://a7tv3j3qn.accounts.ondemand.com/saml2/idp/slo/a7tv3j3qn.accounts.ondemand.com",

Do you know, what URL I have to call to initiate the log out?

Mike

krishna_sai · 3/2/23

@Mike_eggs Look at this thread hope this helps
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-make-saml-authentic...

Krishna

arunpatidar · 3/3/23

In Author, It is added to the logout button automatically.

but in publisher if you have custom login/logout button, this URL must be added to that logout link/button.

Arun Patidar

Mike_eggs · 3/3/23

I tried to implement the suggestion, but unfortunately it doesn't work:

User clicks clicking the Log Out Button (system/sling/logout.html?resource=/content/startpage.html)
AEM send a 302 redirect to /content/startpage.htm
AEM returns a 403 for /content/startpage.htm
User is not Log Out from the IDP

Mike

Mike_eggs · 3/2/23

Hi Krishna,

After re-thinking your suggestion, I don't think this is a possible way to solve the problem: Since the login cookie was set by the IDP, I probably can't delete it from a servlet running in AEM (different URL).

Mike

krishna_sai · 3/2/23

@Mike_eggs Once after you login into your application, can you open dev tools in your browser and go to application tab -> cookies and look you should be seeing login-token.

Try deleting it in the browser itself and reload the page it should be taking you to login page again.
If that works the same thing is being implemented programatically when you click on logout button.
Krishna

Mike_eggs · 3/2/23

Hi Krishna,

thanks for your input, but there is no login-token, there is no cookie from abc.adobeaemcloud.com at all. Authentification is done by an SAML IDP and this service sets the login cookies from another domain (xyz.accounts.ondemand.com). That's why I have no access from AEM to this cookies.

Mike

Adobe Experience Manager Sites & More

SAML Log Out AEM as a Cloud Service

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe