Forum Discussion

Nimbostratus

Apr 05, 2016

APM: how to gracefully logout from all SSO applications behind BigIP

Dear Community, I have 3 different web applications sitting behind a BigIP which does SSO across all three of them (they are 2 x Kerberos and 1 x Forms if this is relevant at all in the context ...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

security

Michael_Jenkins

Cirrostratus

Apr 05, 2016

Another option (though not the prettiest or easiest) would be to intercept a request to /vdesk/hangup.php3 (or a response redirect to that page) and present the user with a custom page that uses AJAX calls to request the individual logout pages of the applications, and once completed, redirects the user to the hangup page again with a query parameter or something that would denote it should be intercepted again.

iRule code might start like this:

when HTTP_REQUEST { 
    set hostvar [HTTP::host] 
    set urivar [HTTP::uri] 
} 

when HTTP_RESPONSE { 
    if { [HTTP::header exists Location] && [HTTP::header value Location] equals "/vdesk/hangup.php3" } { 
        HTTP::respond 200 content { 
            Your page here 
        } Cache-Control No-Cache Pragma No-Cache 
    } 
}

Also, if you're interested in APM event flow, you can check out this article which gives a flowchart of most of the events there.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)