Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Apr 05, 2019

SAML SLO response data destination modification needed

I have the following requirement to modify the SAML response data in particular the SLO destination. The goal here is to finalize the end user session on both the SP mywebsite, IDP1 and IDP2 (this is a chained setup). With this config the session is being terminated on the IDP1 and IDP2 but still not on the SP, this is because the IDP1 sends the SAML SLO response to IDP1 with the SLO destination being IDP1/logmeout, when resending the POST request via redirect to end user and direct it back to mywebsite it reponds with 400 BAD requests, this is because of the SAML SLO data contains the old IDP/logmeout destination and need to be modified.

The Irule I use, which is working

when ACCESS_ACL_ALLOWED {

if { [HTTP::uri] contains "/logmeout" } {
    log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
    ACCESS::session remove
    ACCESS::respond 307 Location "HTTPS://myredirectwebsite[HTTP::query]" 
}

How can I be able to modify the SAML SLO payload to match the SLO destination of SP mywebsite without having to change the SP metadata of IDP1?

I know in version 14.1 is the new feature ACCESS_SAML_SLO_RESP which would be highly suitable for this, but we use version 13.

https://devcentral.f5.com/wiki/iRules.ACCESS_SAML_SLO_RESP.ashx

The SAML POST DATA is:

https://IDP2/logmeout (this part needs to be modified to the mywebsite destination)

All recommendations are welcome.

application delivery
BIG-IP Access Policy Manager (APM)
saml
security
slo
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Apr 05, 2019

    this is because the IDP1 sends the SAML SLO response to IDP2 with the SLO destination being IDP2/logmeout

     

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Apr 10, 2019
    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST
{
        set query [URI::query [HTTP::uri]]
        if { [HTTP::uri] contains "saml/idp/profile/post/sls" and [string tolower [HTTP::query]] contains "referer inserted by IDP2"} {
            log local0. "second logout from IDP requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"

                return
            }


        if { [HTTP::uri] contains "saml/idp/profile/post/sls" } {
            log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
            HTTP::respond 307 Location "https://IDP2/logmeout"
            log local0. "SLO from SP detected and redirected" 

}
else {
        return

     }
}
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Apr 10, 2019

    I created the following Irule on IDP1 to detect the SLO request, bypassing the local IDP from processing the SLO request and forwarding it to IDP2/logmeout. The POST SLO request is being received at the IDP2 and again being redirected back to IDP1, before that I insert the referer header as the query to be able to differentiate the request and guess what it is working, BUT because of the ACCESS::restrict_irule_events disable the IDP1 is not processing the SLO request to be able to send the SAML SLO response back to the SP.

     

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Apr 10, 2019

    On the IDP1 the following Irule has been modified to append the referer header to the PSOT request

    when ACCESS_ACL_ALLOWED {

if { [HTTP::uri] contains "/logmeout"} {

    log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
    ACCESS::respond 307 Location "HTTPS://IDP2/saml/idp/profile/post/sls?[join "referer=[URI::encode [HTTP::header value "Referer"]]"https://myreferer"]"
    ACCESS::session remove

}
}
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Apr 10, 2019

    The following Irule works when the logout SLO request comes back to IDP1 for generating the SLO respons we modify the uri by removing the appended query and Access Policy now accepts the requests and send the SLO response back to the SP. This way both IDP and application are logged out correctly.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST
{

        if { [HTTP::uri] contains "saml/idp/profile/post/sls" and [string tolower [HTTP::query]] contains "myreferer"} {
            log local0. "second logout from IDP requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
                HTTP::uri /saml/idp/profile/post/sls
                log local0. "second logout with modified uri [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
                return
            }

        if { [HTTP::uri] contains "saml/idp/profile/post/sls" } {
            log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
            HTTP::respond 307 Location "https://IDP2/logmeout"
            log local0. "SLO from SP detected and redirected" 

}
else {
        return

     }
}