Forum Discussion
Marvin_129795
Nimbostratus
NimbostratusSAML SLO response data destination modification needed
I have the following requirement to modify the SAML response data in particular the SLO destination. The goal here is to finalize the end user session on both the SP mywebsite, IDP1 and IDP2 (this is...
Marvin
Cirrocumulus
CirrocumulusThe following Irule works when the logout SLO request comes back to IDP1 for generating the SLO respons we modify the uri by removing the appended query and Access Policy now accepts the requests and send the SLO response back to the SP. This way both IDP and application are logged out correctly.
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST
{
if { [HTTP::uri] contains "saml/idp/profile/post/sls" and [string tolower [HTTP::query]] contains "myreferer"} {
log local0. "second logout from IDP requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
HTTP::uri /saml/idp/profile/post/sls
log local0. "second logout with modified uri [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
return
}
if { [HTTP::uri] contains "saml/idp/profile/post/sls" } {
log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
HTTP::respond 307 Location "https://IDP2/logmeout"
log local0. "SLO from SP detected and redirected"
}
else {
return
}
}