Forum Discussion

kbasa_279826's avatar
kbasa_279826
Icon for Nimbostratus rankNimbostratus
Aug 08, 2016

SAML SLO fails

Configured BIGIP as IDP and ADFS plays the role of SP. SSO works as expected with no issues.

When trying an SP initiated SLO from ADFS , an logout request is sent to BIGIP and in it return sends the Logout Resonse. But the status in the Logout Response is 

**            **

Verified the Signing certificates , SLO endpoints and bindings at both the IDP and SP. Still not able to find the issue ....

BIG-IP Access Policy Manager (APM)
saml
security
single logout request
single sign on
slo
  • Sergei_Miadzvez's avatar
    Sergei_Miadzvez
    Icon for Altocumulus rankAltocumulus
    Aug 08, 2016

    StatusCode "urn:oasis:names:tc:SAML:2.0:status:Requester" indicates that processing of received SLO request failed. The actual cause of failure is logged in /var/log/apm.

     

    • kbasa_279826's avatar
      kbasa_279826
      Icon for Nimbostratus rankNimbostratus
      Aug 08, 2016

      Here it is .....

       

      Aug 8 11:57:07 apm err tmm1[17840]: 014d0002:3: 2471d44b: SSOv2 Error verifying SAML message signature - RSA verification failed, check SP certificateAug 8 11:57:07 apm err tmm1[17840]: 014d0002:3: 2471d44b: SSOv2 Error(22) verifying enveloped signatureAug 8 11:57:07 apm err tmm1[17840]: 014d0002:3: 2471d44b: SSOv2 Error(22) enveloped signature verification failedAug 8 11:57:07 apm err tmm1[17840]: 014d0002:3: 2471d44b: SSOv2 Error (22): SAML SLO request signature verification failedAug 8 11:57:07 apm err tmm1[17840]: 014d0002:3: 2471d44b: SSOv2 Validation of SAML SLO request from SP (http://cs-auto11.cloud.com/adfs/services/trust) to this BIG-IP as IdP (/Common/Local-IDP) failed.

       

    • kbasa_279826's avatar
      kbasa_279826
      Icon for Nimbostratus rankNimbostratus
      Aug 08, 2016

      I just found this strange behavior , When i upload ADFS metadata from a file into BIG IP. It stores the ADFS ( Signing and Encryption ) certificates in the BIG-IP System. But the issue here is , it stores the Encryption certificate as both Signing and Encryption certificates. Though it stores with different names , the certificate is same.

       

      I tried to import the metadata from file from 2 different ADFS machines , the issue is the same.

       

      Any ideas on what could be wrong ..

       

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Aug 09, 2016

    Signing and encryption certificates sometimes are the same and sometimes not. In v12, we added the ability for them to be separate.

     

    Starting with v12.1, SLO requests can be handled even if the session is not valid, this may be the problem in some SLO situtaions.