Forum Discussion
NimbostratusAzureAD as SAML IdP / logout problem
I have set up MS AzureAD as a SAML IdP and local BIG-IP APM VIP as SAML SP. SAML federation/login to SP goes ok, but how to do SAML logout request to AzureAD? Azure assumes a signed SAML logout request and not signed authentication request. Is there any way to sign the logout request?
3 Replies
THiA couple of notes:
-
support confirmed me that the logout request IS signed, if the request is signed.
-
I tested first signing the request, then taking the ticker off, but keeping the cert/key info. So sending unsigned authn request, and signed logout request. Confirmed this with SAML tracer. (running 11.5.1 HF3).
-
Earlier in the Summer Azure gave me an error page when trying to do the SLO with this setup. Last week I started testing again - now Azure accepts the logout and SAML tracer shows respective SAML tokens... have they done something?
-
But for some reason after the successful logout request Azure is not redirecting back to the APM SP page specified in the SP metadata, but to O365 login page...so still a bit of work to do
-
- Kevin_Stewart
Employee
The exported Azure IdP metadata should already have the SLO URIs in it, so you should see these values when you import as an external IdP connector in your APM SP config. I can't imagine that a separate metadata export would be required. As for Azure supporting signed authn requests, it also stands to reason that if it supports signed logout requests, it should also support the same for authn.
- Kevin_Stewart
That's an interesting question, I'd have to say no. I haven't worked with Azure in a while, but will it accept/ignore a signed authentication request?
