Forum Discussion

gdoyle's avatar
Icon for Cirrostratus rankCirrostratus
Jun 11, 2019

APM/SAML Logout.

I have a customer that is having an issue with their SAML logouts.

Our Big IP is acting as the SP and reaching out to an external IdP. The customer then logs into WebsiteA and has access to multiple webapps within that website. If the user clicks logout in one of the webapps the IdP session is terminated, but no logout request is ever sent to our Big IP (the SP). However, if the user clicks logout in the webapp and then clicks logout on WebsiteA, they receive an error page and WebsiteA still never sends notification to our Big IP (SP) and we end up with orphan sessions. My customer has contractual requirements requiring these sessions to not end up in this state.


They are requesting a possible solution from our Big IP side, but I don't know enough about it, nor can I think of a logical way, that we would be able to logout a session. It seems like the configuration issues are on the IdP side, which are completely external to me.


Any thoughts?



3 Replies

    • gdoyle's avatar
      Icon for Cirrostratus rankCirrostratus

      Thank you for that response, Niels. I have reviewed that article previously which is why I believe the issue is with improper configuration/coding on the IdP side. As far as I understand it, it is the responsibility of the IdP to validate logouts and notify any/all relevant SPs of the logouts that occur.

      • Yes, I agree. For both SP-initiated and IDP-initiated SLO it reads:


        The IdP validates the request and send new POST Logout Request messages to all other participant SPs.