Forum Discussion

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 13, 2017

APM SP with ADFS Single-Log-Out

Hi Folks,

 

I'd like to ask for working sample configuration to perform a SAML based Single-Log-Out.

 

Scenario:

 

VS_1 
    -> APM Policy with SAML Pre-Auth via multiple ADFS Server(s) 
        -> SharePoint with WS-Federation Auth using the same ADFS Server(s)
VS_2 
    -> APM Policy with 2FA/AD Auth and Kerberos-SSO
        -> ADFS Server for Department 1
VS_N 
    -> APM Policy with 2FA/AD Auth and Kerberos-SSO
        -> ADFS Server for Department N

Problem:

 

If a user initiates a logout on the SharePoint Site, just the APM session for VS_1 gets currently closed. If the user reopens the SharePoint page, the APM SAML authentication will get a fresh authentication from the ADFS Server since the APM session for this service hasn't been closed by the user initiated logout.

 

Goal:

 

Before I start to code an iRule that pulls off the SLO manually, I'd like to explore the possibilities of the build-in SAML SP Single-Sign-Out capabilities. Unfortunately I can't find any useful information how this may work out in conjunction with with APM SAML Pre-Auth, SharePoint and Microsoft ADFS Server behind another 2FA/AD Auth APM Policy.

 

Cheers, Kai

 

BIG-IP Access Policy Manager (APM)
devops
LTM
saml
security
single-log-out
slo
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 13, 2017

    Hi Kai,

    you can use an irule to search session with the same user session... 

    when ACCESS_ACL_ALLOWED {
     if some conditions {
          set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"
          set apm_cookie_list [ ACCESS::uuid getsid $apm_uuid ]
          if {[llength $apm_cookie_list] != 0} {
               set sid [ lindex $apm_cookie_list 0 ]
            ACCESS::session remove $sid
        }
    }
}
  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus
    Apr 13, 2017

    which version are you running? & is there an IdP involved?

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 13, 2017

    Hi PK,

     

    the SAML SP is v12.1 APM with W2012R2 ADFS as SAML IdP.

     

    Cheers, Kai

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 13, 2017

    Kai,

    Here is the irule I used to secure ADFS server behind APM... it use SLO detection to close APM session and redirect to SLO reply address.

    when HTTP_REQUEST {
    set keepua 0
     For external Lync client access all external requests to the
     /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI 
     where appropriate
    HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]]
     Analyze the HTTP request and disable access policy enforcement WS-Trust calls 
    if {[HTTP::uri] contains "/adfs/services/trust"} {
        ACCESS::disable
    }
     OPTIONAL ---- To allow publishing of the federation service metadata
    if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} {
        ACCESS::disable 
    }
}

when ACCESS_ACL_ALLOWED {
     Change user-Agent to Internet Explorer 11 User-Agent
    HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7"
     If authenticated request matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply"
    if { ([string tolower [HTTP::path]] equals "/adfs/ls/") && ([string tolower [URI::query [HTTP::uri] wa]] equals "wsignout1.0") } {
        set redirect_uri [URI::decode [URI::query [HTTP::uri] wreply]]
        ACCESS::session remove
        ACCESS::respond 302 noserver Location $redirect_uri
        return
    }
}

when ACCESS_SESSION_STARTED {
     If new session matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply"
    set landinguri [ACCESS::session data get session.server.landinguri]
    if { ([string tolower $landinguri] starts_with "/adfs/ls/") && ([string tolower [URI::query $landinguri wa]] equals "wsignout1.0") } {
        set redirect_uri [URI::decode [URI::query $landinguri wreply]]
        ACCESS::respond 302 noserver Location $redirect_uri
        ACCESS::session remove
        return
    } elseif {!([string tolower $landinguri] starts_with "/adfs/")} {
        ACCESS::respond 302 noserver Location "https://portal.office.com"
        ACCESS::session remove
    }
}

when ACCESS_POLICY_COMPLETED {
    if { ([ACCESS::policy result] equals "deny") } {
        ACCESS::respond 302 noserver Location "https://portal.office.com"
        ACCESS::session remove
    } 
}
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 27, 2017

    Hi Kai,

    I am working on a configuration with :

    • ADFS 3.0
    • F5 APM as SAML SP with kerberos SSO

    When I imported ADFS metadata:

    With this configuration, SLO does not work

    I made it work by setting SLO request and response URLs to (made by irule)

    https://idp.company.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fsp.company.com%2f

    With this configuration, the requests are:

    after that, session is removed from Access session and next request to SP requires authentication against ADFS (ADFS session was also closed)

    But, when the user access to more than 1 application with ADFS Auth, SLO seems to be disabled in ADFS. ADFS display the "You have successfully signed out." message but session is still active in both ADFS and APM.