Forum Discussion
Dennis_Andrade_
Nimbostratus
NimbostratusRemoving the SAML assertion from the APM session
Hi all,
I have the F5 APM 11.6 configured as the SAML idP. Configured an external SP and the login SSO is working as expected. When the user hits the logout button from the external application, the session and the SAML assertion is not removed from the APM so the user is redirected right back in the external application. Has anybody seen this before? I configured the Single Logout Request URL for the application logout button URL and the Single logout response URL to /vdesk/hangup.php3 from the SP connector but nothing seems to happen.
GianricoEmployee
You must configure SAML SLO (Single Logout) If your SP does not support it, you must create a solution your own for calling the IDP logout page (vdesk/hangup.php3) upon logout from the sp
- Peter_Baumann
Cirrostratus
Thanks for this! Where can I find this in the manual?? I set this now but SLO still doesn't work, I get the following error: Jun 25 11:33:05 bigip1 warning tmm2[11400]: 014d0002:4: 8d563c55: SSOv2 Unsupported method used for SLO Request Any ideas?
Hi Peter
APM only supports SAML POST bindings for SLO messages.
Your SP is probably using Redirect binding. You have to configure your SP to use POST binding for SLO messages.
Regarding where to find the SLO URI, i could actually not find it in the manual. You should open an ticket and ask for a doc update.
Anyway for reference:
APM as IDP
/saml/idp/profile/post/sls -> Url where the SP sends a logout req to
/saml/idp/profile/post/slr -> Url where an SP should respond to when it receives a logout requestAPM as SP
/saml/sp/profile/post/sls -> Url where the IDP sends a logout req to
/saml/sp/profile/post/slr -> Url where an IDP should respond to when it receives a logout requestthanks
gianrico
