Forum Discussion
Slayer001
Cirrus
CirrusSingle logout doesn't work for Office 365 with F5 APM as Idp
Single sign-on works perfectly when setup with this guide: https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf We use version 13.1.1.4 of F5 APM in our setup and used the b...
This sounds like expected behavior.
1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.
Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.
This would mean that SLO would work as expected from the SP standpoint.
2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.
If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.
Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.
3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.
4.) As far as:
'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'
This is because there is not a completed SSO session to be removed based off the answers above.
delv3chio
Employee
EmployeeThis sounds like expected behavior.
1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.
Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.
This would mean that SLO would work as expected from the SP standpoint.
2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.
If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.
Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.
3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.
4.) As far as:
'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'
This is because there is not a completed SSO session to be removed based off the answers above.