Forum Discussion

Cirrus

Mar 16, 2020

SAML SLO Error

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop. For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to ...

application delivery

BIG-IP

BIG-IP Access Policy Manager (APM)

Johan_Lång
Mar 16, 2020
Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

Waiting for the IDP to update bigips metadata with only:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

Could this cause any trouble?

legan

Nimbostratus

I did already set the Logout Url in the Azure AD app registration to : https:/vpnbox/saml/sp/profile/post/slr, but that also redirected me to vdesk/my.acl.php3?errorcode=8001.

I have now done as you said: modified the XML and uploaded and I only see the Logout URL change, so I expect it's the same as what I did when manually changing the Logout URL in Azure AD.

APM log says:/Common/cpp_cra_aad_mfa:Common:22da7c68:SAML SSO: Invalid SLO request path. Expected (/saml/sp/profile/redirect/slr), received (/saml/sp/profile/post/slr?SAMLResponse=...).

Johan_Lång

Cirrus

Oct 15, 2020

Have you kept HTTP-redirect binding in the metadata? try to remove that and only keep HTTP-Post.

Because as the APM log indicates, Azure sends it as a GET/Redirect (look at the traffic with chrome + f12 and preferly with a saml-trace tool) and not a POST. You can also try to change that manually from Azure, using POST as a reponse instead of Redirect (if that is possible).

If the only solution is to use redirect, then only provide http-redirect as a binding in your metadata from big-ip, and change the location to /saml/sp/profile/redirect/slr

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SAML SLO Error

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

SAML: F5 as SP, Azure as IdP Problems with SLO

SAML SLO NameQualifier and SPNameQualifier attributes missing

SAML SLO Issues

Enable SAML Service Provider on F5 Distributed Cloud Application

Insufficient permissions BIG-IQ login error

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS