Forum Discussion
jk20004
Cirrus
CirrusSAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP.
The SSO part runs well only the SLO makes problems.
When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log shows SLO Request is received on SLO Response URL
Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url.
When i use the Location url (/saml/sp/profile/redirect/sls) in Azure it is the other way around.
In Azure the Help Text suggests using the response url.
The SAML rfc is also not very helpful, it "only" describes the content.
Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, the ACCESS_SAML_SLO_REQ and ACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion.
Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other idea how we can solve the problem?
Have you seen the guide below as it is saying the SLO url
/saml/sp/profile/redirect/slo ?------
From TMOS v16 the SAML SLO endpoint has changed to
./saml/sp/profile/redirect/slo----------
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-big-ip-header-advanced
jk20004this is exactly the info i was looking for, thanks!
The only problem is that we are still on 15 and can not go to 16 because there is a bug with the OneConnect profile that f5 can not / will not solve but we hope for the next 17er release- Nikoolayy1
MVP
Still you can try to follow the Microsoft guide even for 15.1.x or 16.1.x (upgrade to the latest ones) as you have configured the correct old loggout URL. F5 and Microsoft have great integrations and they are partners so SLO should work with Azure as you see even Microsoft has guide for F5 APM. If needed open cases to F5 and Microsoft if the guide does not help as per Microsoft Azure Guide the Azure SLO should work with F5 APM.
---------------
Service Provider settings for SLO
Redirect Binding URLs for SLO:- Settings for SP Single Logout Request:
https://idp.hostname.com/saml/idp/profile/redirect/sls
- Settings for SP Single Logout Response:
https://idp.hostname.com/saml/idp/profile/redirect/slr
POST Binding URLs for SLO:- Settings for SP Single Logout Request:
https://idp.hostname.com/saml/idp/profile/post/sls- Settings for SP Single Logout Response:
https://idp.hostname.com/saml/idp/profile/post/slr--------------
Overview of the SAML Single Logout (SLO) URLs (f5.com)
- Settings for SP Single Logout Response:
- Settings for SP Single Logout Request:
- Settings for SP Single Logout Request:
- jk20004
the necessary error messages are already visible in the log and we have already successful decoded the assertion.
The problem is that Azure does not have a SLO url for request and one for response.an attempt to correct the request url also fails because F5 additionally looks at the url in the assertion and to correct that we only found the way to use iRuleLX but there we have no experience also in terms of performance and interaction. (SLO at Azure only works with the Assertion in the url as parameter and there compress is used)
- Nikoolayy1
Have you seen the guide below as it is saying the SLO url
/saml/sp/profile/redirect/slo ?------
From TMOS v16 the SAML SLO endpoint has changed to
./saml/sp/profile/redirect/slo----------
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-big-ip-header-advanced
- Nikoolayy1
Better enable better policy debug and use a SAML decode side as mentioned below. Hope it helps:
https://support.f5.com/csp/article/K41437771
https://support.f5.com/csp/article/K51854802