BIG-IP as Service Provider (SP) with external Identity Provider (IdP)

I have successfully setup SSO/SAML with BIG-IP acting as a Service Provider (SP) and using an external Identity Provider (IdP).

 

When I open a portal URL in a web browser, I can see how F5 is responding with a redirect to '/my.policy'. I also can see the response to '/my.policy', which is a javascript which either performs another redirect (in case of SAML redirect binding) or a form submit (in case of SAML post binding) to send the SAML Request to the external IdP.

 

On the external IdP I can login successfully and then I can see how the IdP returns a page which performs a form submit (in case of SAML post binding) to send the SAML Response to F5 to the URL '.../saml/sp/profile/post/acs'. And then the F5 sends another redirect to the web browser to the actual SP URL executed in the first place.

 

So SSO via SAML 2.0 works fine.

 

As a next step I want to setup global logout using SAML 2.0.

 

On my portal I want place a logout link. When the user clicks on the logout link, I somehow expect that the F5 SP configuration allows me to configure e.g. the path of the logout URL. So the F5 can catch this particular URL and then performs a global logout by sending a SAML request (LogoutRequest) to the IdP and then receive a (LogoutResponse) from the IdP (as described in the SAML 2.0 specification http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (line: 2529).

 

On the F5 in the Access Profile (tab "Properties", section "Configuration") I found the "Logout URI Include" configuration item. For my testing I added a URI, which also exists on the portal. When opening the URI in the browser I can see that the F5 is expiring the F5 browser session cookies. That's fine, I assume here that F5 SP session is ended by that.

 

However, the F5 is not performing a SAML logout by sending a SAML Request (LogoutRequest) to the external IdP. That means the external IdP session (represented by a session cookie set by the external IdP) is still valid.

 

Now when executing a portal URL, the F5 notices that there is no F5 SP session and sends a SAML Request (Authentication Request) to the external IdP. Then the external IdP receives the SAML Request and will now recognize that there is already an existing IdP session (represented by an IdP session cookie). So from an IdP point of view the user is still logged in, which means the IdP does not show a login page, instead the IdP immediately returns the SAML response to the F5. And the F5 returns the portal page.

 

How and where can I configure that the F5 is sending a SAML 2.0 logout request to the external IdP?