SAML SSO Without a Webtop

Removing a cookie is basically the act of setting a past expiration date.

HTTP::respond 302 Location "http://[HTTP::host]" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"

Tried both an iRule and changing the logout.inc source code. It doesn't want to leave my.logout.php3 with a Location header set to "/" or $_SERVER["SERVER_NAME"]

Do I have any outs other than logging a feature request?

I couldn't get this solution to work, but I did get this to work:

 

when ACCESS_POLICY_COMPLETED {
    if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { 
        log local0. "SP initiated SAML detected, not sending redirect"
    } else {
        ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]"
        log local0. "IDP initiated SAML detected, sending redirect"
    }
}

**from this discussion https://devcentral.f5.com/s/feed/0D51T00006i7YW3SAM

 

I lowered the inactivity timeout on the Access Policy because if you use this method, you can't logout the session and if you try to access the resource again before the previous session timed-out, you will get a connection failed message.**

 

After posting the comment above, my SE got back to me with another solution to this problem that seems to work better than the one I posted above. Its written by Graham at F5 who specializes in SAML. https://devcentral.f5.com/s/articles/apm-cookbook-autolaunch-saml-resources-21377

 

Here are Graham's comments to our SE regarding the solutions by Kunjun and Milkman (Milkman posted the solution I referenced in the other thread I linked to in my previous comment) and why his solution is more complete:

 

"[Their solution] only handles the access policy completed event so if they later come back to the existing session it will not fire because that event isn’t hit, that’s why mine has two events to cover the two access scenarios. Also [they assume] you always want the user redirected to the same SAML resource, what if you have multiple, that’s why mine leverages a switch."

 

The benefit of Graham's solution for me was that with Milkman's I had to lower the timeout threshold, because if you closed the site you accessed through SAML, you couldn't access it again unless the previous session was ended. With Graham's solution you can access it even if the previous session isn't closed. He described that scenario above.

 

I have tried these irules and still unable to get this to work for my environment. When redirected it immediately logs out. I receive a "Authorization failure: Denied request for SAML resource" and "Session deleted due to user logout request." in the log.

when ACCESS_POLICY_COMPLETED { 
    switch -glob [ACCESS::session data get session.server.landinguri] {
        "/mycloudapp*" {
        ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?       id=/Common/MYCLOUDAPP"
    }
    "/proofpoint*" {
    ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?   id=/Common/PROOFPOINT"
    }
    "/businessolver*" {
    ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?   id=/Common/BUSINESSOLVER"
        }
    }
}

and

when HTTP_REQUEST {
     if the URI isn't a redirect to an SP resource, and it's an active session - redirect     to the SAML SP resource
if { not ( [HTTP::uri] starts_with "/saml/idp/res?id=" ) and ( [HTTP::cookie exists     MRHSession] ) and ( [ACCESS::session exists -state_allow -sid [HTTP::cookie value   MRHSession]] ) } {
    switch [string tolower [HTTP::host]] {
        "idp.domain.com" {
            HTTP::redirect "/saml/idp/res?id=/Common/idp.domain.com-resource" 
            }
        }
    }
}

when ACCESS_POLICY_COMPLETED { redirect to the SAML SP resource switch -glob [string tolower [ACCESS::session data get session.server.network.name]] { "idp.domain.com" { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/idp.domain.com-resource" } } }