For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gabriel_V_13146's avatar
Gabriel_V_13146
Icon for Cirrus rankCirrus
Aug 25, 2014

Hello,

 

You are using F5 as a SP. further you've stated the IDP SLO URL is linked to a button. Therefore I assume you wanted to do the IdP-initiated SLO. it's IdP which should send a logout request to the F5 SP.

 

If you want the SP initiated SLO (F5 logs out), it's not a simple user request to the SLO URL. Best approach is to use a hangup link ( /vdesk/hangup.php3)

 

we've set up several environments using F5 APM SAML and here are some things to be aware

 

  • you need to configure SLO url AND SLO Reply URL for the idp-connector, note the F5 APM uses different endpoints for SLO request and SLO reply
  • logout requests must be signed (correct certificates need to be set up)
  • watch the /var/log/apm log file to troubleshoot the SAML processing
  • there's an issue on the F5 it doesn't return the RelayState correctly (depends on the version used) and some IdPs don't like it

Best regards Gabriel

 

Malak_Samir_218's avatar
Malak_Samir_218
Icon for Altostratus rankAltostratus
Apr 03, 2019

@Gabriel in this particular case, what should the slo reply looks like?