APM SP with ADFS Single-Log-Out

Cumulonimbus

Apr 13, 2017

Kai,

Here is the irule I used to secure ADFS server behind APM... it use SLO detection to close APM session and redirect to SLO reply address.

when HTTP_REQUEST {
    set keepua 0
     For external Lync client access all external requests to the
     /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI 
     where appropriate
    HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]]
     Analyze the HTTP request and disable access policy enforcement WS-Trust calls 
    if {[HTTP::uri] contains "/adfs/services/trust"} {
        ACCESS::disable
    }
     OPTIONAL ---- To allow publishing of the federation service metadata
    if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} {
        ACCESS::disable 
    }
}

when ACCESS_ACL_ALLOWED {
     Change user-Agent to Internet Explorer 11 User-Agent
    HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7"
     If authenticated request matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply"
    if { ([string tolower [HTTP::path]] equals "/adfs/ls/") && ([string tolower [URI::query [HTTP::uri] wa]] equals "wsignout1.0") } {
        set redirect_uri [URI::decode [URI::query [HTTP::uri] wreply]]
        ACCESS::session remove
        ACCESS::respond 302 noserver Location $redirect_uri
        return
    }
}

when ACCESS_SESSION_STARTED {
     If new session matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply"
    set landinguri [ACCESS::session data get session.server.landinguri]
    if { ([string tolower $landinguri] starts_with "/adfs/ls/") && ([string tolower [URI::query $landinguri wa]] equals "wsignout1.0") } {
        set redirect_uri [URI::decode [URI::query $landinguri wreply]]
        ACCESS::respond 302 noserver Location $redirect_uri
        ACCESS::session remove
        return
    } elseif {!([string tolower $landinguri] starts_with "/adfs/")} {
        ACCESS::respond 302 noserver Location "https://portal.office.com"
        ACCESS::session remove
    }
}

when ACCESS_POLICY_COMPLETED {
    if { ([ACCESS::policy result] equals "deny") } {
        ACCESS::respond 302 noserver Location "https://portal.office.com"
        ACCESS::session remove
    } 
}

Forum Discussion

APM SP with ADFS Single-Log-Out

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

ADFS Proxy Replacement on F5 BIG-IP

Big-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI”

ADFS WAP servers failed to establish trust with ADFS 2019 servers using internal vip

ADFS Proxy, APM, ASM Craziness

Big-IP and ADFS Part 2 - APM: An Alternative to the ADFS Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS