SAML Single Logout Issue

Hello,

You are using F5 as a SP. further you've stated the IDP SLO URL is linked to a button. Therefore I assume you wanted to do the IdP-initiated SLO. it's IdP which should send a logout request to the F5 SP.

If you want the SP initiated SLO (F5 logs out), it's not a simple user request to the SLO URL. Best approach is to use a hangup link ( /vdesk/hangup.php3)

we've set up several environments using F5 APM SAML and here are some things to be aware

• you need to configure SLO url AND SLO Reply URL for the idp-connector, note the F5 APM uses different endpoints for SLO request and SLO reply
• logout requests must be signed (correct certificates need to be set up)
• watch the /var/log/apm log file to troubleshoot the SAML processing
• there's an issue on the F5 it doesn't return the RelayState correctly (depends on the version used) and some IdPs don't like it

Best regards Gabriel