Single Logout Request URL

Using "./my.logout.php3", but it isn't redirecting to the logon page like we would like. Did you ever find anything with this?

When APM is configured for both IdP and SP, the Single Logout (SLO) URIs (saml/sp/profile/post/sls and saml/sp/profile/post/slr) are expecting a POSTed SAMLRequest and SAMLResponse, respectively. When you click the logout button, a link to /vdesk/hangup.php3 on a SAML-based APM SP VIP, that should generate an auto-post to the sls URI with a SAMLRequest and to the IdP. The IdP responds with an auto-post to the slr URI and a SAMLResponse to the SP. I can't speak specifically for a third-party SP, but it should probably behave the same way. Can you take a packet capture and see if the SP is in fact POSTing a SAMLRequest to the IdP for SLO?

The thing here is that ShareFile doesn't support SLO yet. I wound up writing an iRule yesterday that intercepts a custom URI, kills the APM session, and redirects back to the ShareFile logon page. I just point the ShareFile logout URL to "https://samlVIP/sflogout". This is working perfectly for me.

We found the same issue, but it isn't just that ShareFile doesn't support SLO its the fact that it sends to the logout URL framed which the F5 doesn't allow. We found that in some browsers we weren't actually getting logged out with MarkD's suggestion so we point it at a generic uri "/sharefile-logout" and break out the frame and then kill the session with the following iRule:

when HTTP_REQUEST { if {[HTTP::uri] equals "/sharefile-logout"} { HTTP::respond 200 content "Logging out.. " } }

when ACCESS_ACL_ALLOWED { if {[HTTP::uri] equals "/saml/sp/profile/post/sls/sharefile"} { ACCESS::session remove } }

This worked in all browsers and versions that we tested.

Looks like the html got stripped, surround this in script tags to remove the frame that Sharefile sends over:

window.top.location.href='https://"insert domain here"/vdesk/hangup.php3';

This was my iRule. I attached this to my SAML VIP. All is well.

when HTTP_REQUEST { if { [HTTP::uri] equals "/sflogout" } { ACCESS::session remove HTTP::redirect "https://ourname.sharefile.com" } }

Hello,

F5 APM to act as an IdP ... saml/sp/profile/post/sls

hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls

Gabriel

hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls

It depends on which one you're looking at. The single logout request URL for the external IdP connector of an APM SP would be /saml/idp/profile/post/sls. The single logout request URL for the external SP connector of an APM SP would be /saml/sp/profile/post/sls.

I think the theme of this post (among other things) was that Citrix ShareFile doesn't support SLO. Ben and MarkD came up with some pretty clever workarounds.

Check your IdP metadata for your IdP Entity ID, it is likely that your URI is not actually /saml but rather something else, try sending a raw SLO request to this entityID and see what response you get, also be very familiar with the documentation found here https://support.f5.com/csp/article/K70726133

I am interested in the solution for this as well. We just purchased ShareFile and I am researching setting up the DMZ proxy. Is there some config guidance for setting up the SAML IdP for ShareFile?