Forum Discussion

Johan_Lång's avatar
Johan_Lång
Icon for Cirrus rankCirrus
Mar 16, 2020

SAML SLO Error

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.   For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to ...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
  • Johan_Lång's avatar
    Johan_Lång
    Mar 16, 2020

    Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

     

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

     

    Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

     

    Waiting for the IDP to update bigips metadata with only:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

     

    Could this cause any trouble?

     

legan's avatar
legan
Icon for Nimbostratus rankNimbostratus

I run into the same issue and I'm not able to resolve this. I have setup APM with Azure AD as a SAML IdP.

All works fine, until I logout. I have created a redirect rule that redirects like this:

 

when HTTP_REQUEST {

if {[HTTP::uri] starts_with "/saml/sp/profile/post/sls"} {

  set new_uri [string map {"/saml/sp/profile/post/sls" "/saml/sp/profile/post/slr"} [HTTP::uri]]

HTTP::respond 307 noserver Location https://[HTTP::host]$new_uri

}

}

 

So, this request is redirected:

 

request: https://VPNbox/saml/sp/profile/post/sls?SAMLResponse=...

location: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

 

But on this request I receive the same error response page:

 

request: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

location: /vdesk/my.acl.php3?errorcode=8001

 

We would lilke to start a pilot, but this is a blocking issue at the moment.

 

I have also tried setting the logout URL in Azure AD to https://VPNbox/saml/sp/profile/post/slr directly, but that also gives me the redirect to the /vdesk/my.acl.php3?errorcode=8001 URI.

Johan_Lång's avatar
Johan_Lång
Icon for Cirrus rankCirrus
Oct 15, 2020

​What does the APM log says?

 

Was a while ago but there was alot of issues with "reposts" with 307, when it comes to SAML.

I would suggest that you manipulate the metadata from your bigip-SP connector and then reimport it into Azure AD. simply remove SLS. and remove the resoponder attribute and Place the slr after location, 

Like this:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<name.domain.com>/saml/sp/profile/post/slr"> </SingleLogoutService>

 

Also make sure that you are using the right binding, Edit SAML SP Connector > SLO Service Settings > Single Logout Binding: POST (if you're using post).