Forum Discussion

THi_89722's avatar
THi_89722
Icon for Nimbostratus rankNimbostratus
Sep 23, 2016

SAML SLO NameQualifier and SPNameQualifier attributes missing

We have external SAML 2 IdP which requires NameQualifier and SPNameQualifier attributes in NameID element set in the SAML LogoutRequest (SLO), like: NameQualifier="https://xxx.yyy.com/idp" ...
application delivery
BIG-IP Access Policy Manager (APM)
saml
slo
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Nov 09, 2017

    Support for NameQualifier and SPNameQualifier is added in BIG-IP APM v13.1. This version will be released very shortly.

     

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus

Can you please share which IDPs require the use of these attributes? They are optional attributes that are currently not supported by SLO configuration of APM. Please open a case with F5 support and request an RFE to support them, and provide as much information as possible, including the IDPs that use them(and any information as to why they are used). Thanks!

 

THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Sep 27, 2016

The IdP is a large public authority (state population registry). The IdP is based on Shibboleth.

 

The request identifies the principal to be logged out using a NameID element, as well as providing a SessionIndex element to uniquely identify the session being closed.

 

https://issues.liferay.com/browse/LPS-45684

 

"LogoutRequest NameID should include NameQualifier and/or SPNameQualifier provided by the IdP in it's Response NameID. Some IdPs such as Shibboleth might not otherwise be able find the correct session to logout."

 

Also for Azure https://azure.microsoft.com/en-us/documentation/articles/active-directory-single-sign-out-protocol-reference/

 

"The value of the NameID element must exactly match the NameID of the user that is being signed out."