Forum Discussion

Johan_Lång's avatar
Johan_Lång
Icon for Cirrus rankCirrus
Mar 16, 2020

SAML SLO Error

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.   For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to ...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
  • Johan_Lång's avatar
    Johan_Lång
    Mar 16, 2020

    Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

     

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

     

    Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

     

    Waiting for the IDP to update bigips metadata with only:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

     

    Could this cause any trouble?

     

legan's avatar
legan
Icon for Nimbostratus rankNimbostratus
Oct 15, 2020

I cannot modify that in Azure and indeed, it does a GET instead of a POST. Azure documentation says: 'This URL is used to send the SAML Logout response back to the application.'

Now I have set it to https://vpnbox/saml/sp/profile/redirect/slr and that works fine.

Thank you for you assistance!

  • Johan_Lång's avatar
    Johan_Lång
    Icon for Cirrus rankCirrus
    Oct 15, 2020

    ​Glad to help :)