Forum Discussion
NimbostratusSAML Single Logout Issue
Hi,
We are trying to implement SAML single logout with BIG IP APM acting as SP and third party Identity Provider. We have configured the sample page in the backend iis webservers.IDP SLO url is hard coded to the logout button. After the user logged into sample application via SAML credentials when clicked on the logout button ,session is not getting killed also We don't see any logout request is generated and sent to IDP. I'm just wondering whether we need to do any configurations apart from giving the Single logout urls in f5 SAML configuration. Also How actually the logout process works with f5.Can anyone help us out on this.
Thanks
2 Replies
Gabriel_V_13146Cirrus
Hello,
You are using F5 as a SP. further you've stated the IDP SLO URL is linked to a button. Therefore I assume you wanted to do the IdP-initiated SLO. it's IdP which should send a logout request to the F5 SP.
If you want the SP initiated SLO (F5 logs out), it's not a simple user request to the SLO URL. Best approach is to use a hangup link ( /vdesk/hangup.php3)
we've set up several environments using F5 APM SAML and here are some things to be aware
- you need to configure SLO url AND SLO Reply URL for the idp-connector, note the F5 APM uses different endpoints for SLO request and SLO reply
- logout requests must be signed (correct certificates need to be set up)
- watch the /var/log/apm log file to troubleshoot the SAML processing
- there's an issue on the F5 it doesn't return the RelayState correctly (depends on the version used) and some IdPs don't like it
Best regards Gabriel
Malak_Samir_218Altostratus
@Gabriel in this particular case, what should the slo reply looks like?
