APM/SAML Logout.
I have a customer that is having an issue with their SAML logouts.
Our Big IP is acting as the SP and reaching out to an external IdP. The customer then logs into WebsiteA and has access to multiple webapps within that website. If the user clicks logout in one of the webapps the IdP session is terminated, but no logout request is ever sent to our Big IP (the SP). However, if the user clicks logout in the webapp and then clicks logout on WebsiteA, they receive an error page and WebsiteA still never sends notification to our Big IP (SP) and we end up with orphan sessions. My customer has contractual requirements requiring these sessions to not end up in this state.
They are requesting a possible solution from our Big IP side, but I don't know enough about it, nor can I think of a logical way, that we would be able to logout a session. It seems like the configuration issues are on the IdP side, which are completely external to me.
Any thoughts?
Thanks.
Maybe this article is of use to you. It gives an overview about the SLO (single logout) proces on the BIG-IP.