Forum Discussion
SAML SLO error
Hey,
We are using APM as a SAML IdP for authenticating smartcard users. Authentication works fine and users are able to use the SAML SP service, but as they try to logout the user is redirected back to the IdP and the browser session dies. The browser seems to stay in the IdP SLO url (/saml/idp/profile/sls) without ever redirecting back to the SP SLO urls.
Firefox states that a secure connection can't be established.
From apm log I can see the following error:
SSOv2 plugin error(18) in sso/saml.c:6276
I tried to find the meaning of the error, but so far I've found nothing for error 18. Any ideas?
We are running version 11.5.1 HF10
- Lucas_Thompson_Historic F5 Account
Before v12.1, if the user's APM session is idled out (usually it will be), then the connection is RST.
The reason it was broken before is that APM has to keep track of all the SPs that have been authenticated in one IdP session and SLO must redirect in a chain to all of the SPs, ending with the one that initiated the request. If the user's session is missing, there is nowhere to lookup this data.
That's fixed in 12.1 now, the caveat is that if there are multiple SPs, APM can't remember them and do the redirect chain back. For most users that's OK, and certainly more desirable than the current behavior of RST'ing the connection.
For older versions, the only way to work around this is to have the idle timer be really long for the session so they don't time out by the time they want to SLO out of the SP session.
- Sergei_MiadzvezAltocumulus
This does not directly answer your question, but I would recommend trying newer version of BIG-IP, e.g. 12.x. There were significant improvements in SLO after 11.5.1, so you may not experience this error on newer versions.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com