SAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP.
The SSO part runs well only the SLO makes problems.
When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log shows SLO Request is received on SLO Response URL
Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url.
When i use the Location url (/saml/sp/profile/redirect/sls) in Azure it is the other way around.
In Azure the Help Text suggests using the response url.
The SAML rfc is also not very helpful, it "only" describes the content.
Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, the ACCESS_SAML_SLO_REQ and ACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion.
Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other idea how we can solve the problem?
Have you seen the guide below as it is saying the SLO url
/saml/sp/profile/redirect/slo ?
------
From TMOS v16 the SAML SLO endpoint has changed to
./saml/sp/profile/redirect/slo
----------
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-big-ip-header-advanced