Forum Discussion
Single logout doesn't work for Office 365 with F5 APM as Idp
- Sep 12, 2019
This sounds like expected behavior.
1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.
Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.
This would mean that SLO would work as expected from the SP standpoint.
2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.
If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.
Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.
3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.
4.) As far as:
'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'
This is because there is not a completed SSO session to be removed based off the answers above.
Hello
OK, we will put the SLR url as logoffurl in Azure. Can you share where you found that Azure only supports Single logout Reponse? Thanks.
I only found the metadata and this here:
"Azure AD will use HTTP POST for the authentication request to the identity provider and REDIRECT for the sign out message to the identity provider."
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com