For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Jun 30, 2014

AzureAD as SAML IdP / logout problem

I have set up MS AzureAD as a SAML IdP and local BIG-IP APM VIP as SAML SP. SAML federation/login to SP goes ok, but how to do SAML logout request to AzureAD? Azure assumes a signed SAML logout reque...
BIG-IP Access Policy Manager (APM)
microsoft
security
windows azure
THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Sep 01, 2014

A couple of notes:

 

  • support confirmed me that the logout request IS signed, if the request is signed.

     

  • I tested first signing the request, then taking the ticker off, but keeping the cert/key info. So sending unsigned authn request, and signed logout request. Confirmed this with SAML tracer. (running 11.5.1 HF3).

     

  • Earlier in the Summer Azure gave me an error page when trying to do the SLO with this setup. Last week I started testing again - now Azure accepts the logout and SAML tracer shows respective SAML tokens... have they done something?

     

  • But for some reason after the successful logout request Azure is not redirecting back to the APM SP page specified in the SP metadata, but to O365 login page...so still a bit of work to do