Forum Discussion
Single logout doesn't work for Office 365 with F5 APM as Idp
Single sign-on works perfectly when setup with this guide: https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf
We use version 13.1.1.4 of F5 APM in our setup and used the built-in SAML SP object for O365. This object doesn't contain any URL's in the SLO page. Then the Office 365 initiated logout works. But the logout can't be triggered from the webtop on F5
I've found in Microsoft documentation that this is the SAML metadata of Azure AD: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
When using this metadata it points the SLO to https://login.microsoftonline.com/login.srf for request en response with POST binding. When testing single logout it logs out of Office365 but the session on the APM is still there.
When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid."
Anyone who got Office 365 single logout working both Idp and SP initiated?
This sounds like expected behavior.
1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.
Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.
This would mean that SLO would work as expected from the SP standpoint.
2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.
If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.
Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.
3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.
4.) As far as:
'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'
This is because there is not a completed SSO session to be removed based off the answers above.
- delv3chioEmployee
This sounds like expected behavior.
1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.
Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.
This would mean that SLO would work as expected from the SP standpoint.
2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.
If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.
Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.
3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.
4.) As far as:
'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'
This is because there is not a completed SSO session to be removed based off the answers above.
- Slayer001Cirrus
Thanks for your response. Let me clarify.
We want to use the webtop as a portal that contains all the applications where F5 APM serves as Idp. When the users opens the office365 application from the webtop the user is signed in to Office365. When the user then logs out of Office365, the session on the APM is also removed if we use the https://login.example.com/vdesk/hangup.php3 as logouturl in Azure. This still works when we change this to the SAML redirect logout url https://sso-acc.cegeka.com/saml/idp/profile/redirect/sls and use the values from Azure AD metadata for logout request and response.
When the user has finished working and wants to sign out of all applications at the end of the working day he wants to do this by pressing the logout button on the webtop portal but gets redirected to the Office 365 page with the above error. Is there a way to be able to sign out of the webtop and also be signed out in Office365? Or is this not possible for Office365?
So if we leave the SLO request url empty in the external SP object for Office365 the user is logged out of all applications but remains signed on in Office365.
- delv3chioEmployee
Based off this explanation and Azures ability to only have a Single Logout URL that specifically stated "RESPONSE" in the information, I would say that Azure does not have the capability to support Single Logout initiated from the IdP/
That said, based off the information that states "SAML Logout Response" and my explanation that users _should_ not be initiated logout from the IdP, I would say that the correct configuration would be using the 'SLR' URL.
If you need to support IdP initiated Logout, I would recommend that you give Microsoft a call and ask them why they do not support a Single Logout Request and only Single Logout Responses. I am willing to bet that they would be on the same page that users should not be logging out from the IdP.
- Slayer001Cirrus
Hello
OK, we will put the SLR url as logoffurl in Azure. Can you share where you found that Azure only supports Single logout Reponse? Thanks.
I only found the metadata and this here:
"Azure AD will use HTTP POST for the authentication request to the identity provider and REDIRECT for the sign out message to the identity provider."
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com