Forum Discussion
SAML SLO Error
- Mar 16, 2020
Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">
Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.
Waiting for the IDP to update bigips metadata with only:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">
Could this cause any trouble?
I run into the same issue and I'm not able to resolve this. I have setup APM with Azure AD as a SAML IdP.
All works fine, until I logout. I have created a redirect rule that redirects like this:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/saml/sp/profile/post/sls"} {
set new_uri [string map {"/saml/sp/profile/post/sls" "/saml/sp/profile/post/slr"} [HTTP::uri]]
HTTP::respond 307 noserver Location https://[HTTP::host]$new_uri
}
}
So, this request is redirected:
request: https://VPNbox/saml/sp/profile/post/sls?SAMLResponse=...
location: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...
But on this request I receive the same error response page:
request: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...
location: /vdesk/my.acl.php3?errorcode=8001
We would lilke to start a pilot, but this is a blocking issue at the moment.
I have also tried setting the logout URL in Azure AD to https://VPNbox/saml/sp/profile/post/slr directly, but that also gives me the redirect to the /vdesk/my.acl.php3?errorcode=8001 URI.
- Johan_LångOct 15, 2020Cirrus
What does the APM log says?
Was a while ago but there was alot of issues with "reposts" with 307, when it comes to SAML.
I would suggest that you manipulate the metadata from your bigip-SP connector and then reimport it into Azure AD. simply remove SLS. and remove the resoponder attribute and Place the slr after location,
Like this:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<name.domain.com>/saml/sp/profile/post/slr"> </SingleLogoutService>
Also make sure that you are using the right binding, Edit SAML SP Connector > SLO Service Settings > Single Logout Binding: POST (if you're using post).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com