Forum Discussion

Johan_Lång's avatar
Mar 16, 2020

SAML SLO Error

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.

 

For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to thier SLS, the ticket is destroyed at thier end, but bigip is throwing an error: "Internal error. Failed to process SAML request/response. Please try again or contact your system administrator if error persists."

With uri: /vdesk/my.acl.php3?errorcode=8001

 

The response is getting back successful from the IDP (as issuer) to Destination="https://<bigipadress>/saml/sp/profile/post/sls" with a succes code:

<samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </samlp:Status>

 

APM-log:

SAML SSO: SLO Response is received on SLO Request URL

SAML SSO: SLO Request not found in SAML message 'SAMLResponse=<base64decoded samlrequest>

SAML SSO: Error (12) in reading SP info from sessionDB

SAML SSO: Abort reason: Error in reading sp info from session db

 

The samlrequest as it appear in the log is not uri decoded, but if i look at the formdata in chrome everything looks fine.

 

I've also tried with redirect instead of post, but then i get the error in APM-log:

SAML SSO: SLO Request not found in SAML message ''

 

A workaround is to clear the SLO settings in the IDP-connector, in this case the APM-session is destroyed but the session from the IDP isnt.

 

Any suggestions to investigate this futher?

 

Thanks,

Johan

 

  • Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

     

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

     

    Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

     

    Waiting for the IDP to update bigips metadata with only:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

     

    Could this cause any trouble?

     

  • Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

     

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

     

    Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

     

    Waiting for the IDP to update bigips metadata with only:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

     

    Could this cause any trouble?

     

  • Hi, I am developed same solution and is there any specific format of saml logout request?​

    • Johan_Lång's avatar
      Johan_Lång
      Icon for Cirrus rankCirrus

      What do you mean? :)

      The IDP did not read the "ResponseLocation", instead i had to get rid of that, and only publish the /slr url instead of the /sls

      • IRONMAN's avatar
        IRONMAN
        Icon for Cirrostratus rankCirrostratus

        HI Johan,

         

        we are develping own SAML Solution and F5 Acting as IDP here. we not have format of SLO request from SP to IDP, we getting error in F5 Deflate error, not sure it is any encrypted , we

        want SLO Request from SP to IDP format, no Sign, no encryption format !

         

        we are using below format and it is getting error . it is send from SP to IDP(F5)

         

        <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"ID="ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d"Version="2.0"IssueInstant="2014-07-18T01:13:06Z" Destination="https://F5IDP.COM/saml/idp/profile/redirect/sls">  

         <saml:Issuer>https://SP.COM/SAML-logout.go</saml:Issuer>

         <saml:NameID SPNameQualifier="https://SP.com/SAML-logout.go" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>

        </samlp:LogoutRequest>

         

  • legan's avatar
    legan
    Icon for Nimbostratus rankNimbostratus

    I run into the same issue and I'm not able to resolve this. I have setup APM with Azure AD as a SAML IdP.

    All works fine, until I logout. I have created a redirect rule that redirects like this:

     

    when HTTP_REQUEST {

    if {[HTTP::uri] starts_with "/saml/sp/profile/post/sls"} {

      set new_uri [string map {"/saml/sp/profile/post/sls" "/saml/sp/profile/post/slr"} [HTTP::uri]]

    HTTP::respond 307 noserver Location https://[HTTP::host]$new_uri

    }

    }

     

    So, this request is redirected:

     

    request: https://VPNbox/saml/sp/profile/post/sls?SAMLResponse=...

    location: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

     

    But on this request I receive the same error response page:

     

    request: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

    location: /vdesk/my.acl.php3?errorcode=8001

     

    We would lilke to start a pilot, but this is a blocking issue at the moment.

     

    I have also tried setting the logout URL in Azure AD to https://VPNbox/saml/sp/profile/post/slr directly, but that also gives me the redirect to the /vdesk/my.acl.php3?errorcode=8001 URI.

    • ​What does the APM log says?

       

      Was a while ago but there was alot of issues with "reposts" with 307, when it comes to SAML.

      I would suggest that you manipulate the metadata from your bigip-SP connector and then reimport it into Azure AD. simply remove SLS. and remove the resoponder attribute and Place the slr after location, 

      Like this:

      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<name.domain.com>/saml/sp/profile/post/slr"> </SingleLogoutService>

       

      Also make sure that you are using the right binding, Edit SAML SP Connector > SLO Service Settings > Single Logout Binding: POST (if you're using post).

  • legan's avatar
    legan
    Icon for Nimbostratus rankNimbostratus

    I did already set the Logout Url in the Azure AD app registration to : https:/vpnbox/saml/sp/profile/post/slr, but that also redirected me to vdesk/my.acl.php3?errorcode=8001.

    I have now done as you said: modified the XML and uploaded and I only see the Logout URL change, so I expect it's the same as what I did when manually changing the Logout URL in Azure AD.

     

    APM log says:/Common/cpp_cra_aad_mfa:Common:22da7c68:SAML SSO: Invalid SLO request path. Expected (/saml/sp/profile/redirect/slr), received (/saml/sp/profile/post/slr?SAMLResponse=...).

    • ​Have you kept HTTP-redirect binding in the metadata? try to remove that and only keep HTTP-Post.

      Because as the APM log indicates, Azure sends it as a GET/Redirect (look at the traffic with chrome + f12 and preferly with a saml-trace tool) and not a POST. You can also try to change that manually from Azure, using POST as a reponse instead of Redirect (if that is possible).

      If the only solution is to use redirect, then only provide http-redirect as a binding in your metadata from big-ip, and change the location to /saml/sp/profile/redirect/slr

  • legan's avatar
    legan
    Icon for Nimbostratus rankNimbostratus

    I cannot modify that in Azure and indeed, it does a GET instead of a POST. Azure documentation says: 'This URL is used to send the SAML Logout response back to the application.'

    Now I have set it to https://vpnbox/saml/sp/profile/redirect/slr and that works fine.

    Thank you for you assistance!