Forum Discussion

MC_273315's avatar
MC_273315
Icon for Cirrus rankCirrus
May 30, 2017

APM SAML (ACCESS::session remove)

Is it possible to immediately remove an active session upon completion of an Access Policy? We assign SSO connections via branches of one large Access Policy and have an issue when cookies are re-use...
BIG-IP Access Policy Manager (APM)
devops
iRules
security
brad_11480's avatar
brad_11480
Icon for Nimbostratus rankNimbostratus
Nov 22, 2017

Have the same need. Why keep these sessions around when the IdP SAML/SSO has completed? Like to clean them out.

 

Yup doesn't timeout for me either. So guess this isn't a solution but I wonder why change this in an iRule? For the access profile for the SAML/SSO change the default inactivity, access policy, and session timeout values. This should all happen inside of a few seconds but anticipate delays with browser redirect.

 

I'm setting these to 10/20/20 for NTLM based and so far it seems to be good and the sessions age out quickly.

 

Higher numbers if the user is being prompted for credentials. But seems to me that the access policy and the maximum session timeouts could be set the same since once IdP SAML/SSO completes the IdP is done and the user is now at the service provider.

 

Now the SP logout could come back in, but the authenticated session will be gone.