Forum Discussion
Kai_Wilke
MVP
MVPAPM SP with ADFS Single-Log-Out
Hi Folks, I'd like to ask for working sample configuration to perform a SAML based Single-Log-Out. Scenario: VS_1
-> APM Policy with SAML Pre-Auth via multiple ADFS Server(s)
...
Stanislas_Piro2
Cumulonimbus
CumulonimbusHi Kai,
I am working on a configuration with :
- ADFS 3.0
- F5 APM as SAML SP with kerberos SSO
When I imported ADFS metadata:
- SLO request URL was https://idp.company.com/adfs/ls
- SLO response URL was not set
With this configuration, SLO does not work
I made it work by setting SLO request and response URLs to (made by irule)
https://idp.company.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fsp.company.com%2f
With this configuration, the requests are:
- GET https://sp.company.com/vdesk/hangup.php3
- POST https://idp.company.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fsp.company.com%2f
- GET https://sp.company.com/saml/sp/profile/redirect/sls?SAMLRequest=.....
- POST https://idp.company.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fsp.company.com%2f
after that, session is removed from Access session and next request to SP requires authentication against ADFS (ADFS session was also closed)
But, when the user access to more than 1 application with ADFS Auth, SLO seems to be disabled in ADFS. ADFS display the "You have successfully signed out." message but session is still active in both ADFS and APM.