Forum Discussion

Ben_Newport_102's avatar
Ben_Newport_102
Icon for Nimbostratus rankNimbostratus
Jan 07, 2014

Single Logout Request URL

We have setup the F5 APM to act as an IdP for Citrix Sharefile and have Single Sign On working. However when we create the IdP SAML and setup the external SP it created Single Logout Request and Response URLs as well. saml/sp/profile/post/sls and saml/sp/profile/post/slr

 

If we set the logout URL on Sharefile to the saml/sp/profile/post/sls it posts to that URL, but gets a 404 as it doesn't look like the APM is setup to service that url. And it doesn't do anything on the APM side to invalidate the assertion for the user so if they go back to the Sharefile login it uses the previous SAML assertion (sends them to the F5 login page and since that user still has a valid assertion it sends it back to sharefile and logs them in). How do we remove the assertion on clicking logout from Sharefile?

 

  • I am interested in the solution for this as well. We just purchased ShareFile and I am researching setting up the DMZ proxy. Is there some config guidance for setting up the SAML IdP for ShareFile?

     

  • Check your IdP metadata for your IdP Entity ID, it is likely that your URI is not actually /saml but rather something else, try sending a raw SLO request to this entityID and see what response you get, also be very familiar with the documentation found here https://support.f5.com/csp/article/K70726133

     

  • hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls

     

    It depends on which one you're looking at. The single logout request URL for the external IdP connector of an APM SP would be /saml/idp/profile/post/sls. The single logout request URL for the external SP connector of an APM SP would be /saml/sp/profile/post/sls.

     

    I think the theme of this post (among other things) was that Citrix ShareFile doesn't support SLO. Ben and MarkD came up with some pretty clever workarounds.

     

  • Hello,

     

    F5 APM to act as an IdP ... saml/sp/profile/post/sls

     

    hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls

     

    Gabriel

     

  • This was my iRule. I attached this to my SAML VIP. All is well.

     

    when HTTP_REQUEST { if { [HTTP::uri] equals "/sflogout" } { ACCESS::session remove HTTP::redirect "https://ourname.sharefile.com" } }

     

    • aremondini's avatar
      aremondini
      Icon for Nimbostratus rankNimbostratus

      Hi all,

      I'd the same problem, I've modify your iRule and now works correctly! :)

       

      when HTTP_REQUEST { 

        if { [HTTP::uri] equals "/cgi/urllogout" } {

          ACCESS::session modify -timeout 1

          HTTP::redirect "https:company.sharefile.com" } }

       

       

      P.S. ACCESS:session remove seems doens't work, i've modify timeout in 1 sec.

    • Peter_Baumann's avatar
      Peter_Baumann
      Icon for Cirrostratus rankCirrostratus
      Just for your information... In v12 the SLO iRule doesn't seem to work anymore.
  • Looks like the html got stripped, surround this in script tags to remove the frame that Sharefile sends over:

     

    window.top.location.href='https://"insert domain here"/vdesk/hangup.php3';

     

  • We found the same issue, but it isn't just that ShareFile doesn't support SLO its the fact that it sends to the logout URL framed which the F5 doesn't allow. We found that in some browsers we weren't actually getting logged out with MarkD's suggestion so we point it at a generic uri "/sharefile-logout" and break out the frame and then kill the session with the following iRule:

     

    when HTTP_REQUEST { if {[HTTP::uri] equals "/sharefile-logout"} { HTTP::respond 200 content "Logging out.. " } }

     

    when ACCESS_ACL_ALLOWED { if {[HTTP::uri] equals "/saml/sp/profile/post/sls/sharefile"} { ACCESS::session remove } }

     

    This worked in all browsers and versions that we tested.

     

  • The thing here is that ShareFile doesn't support SLO yet. I wound up writing an iRule yesterday that intercepts a custom URI, kills the APM session, and redirects back to the ShareFile logon page. I just point the ShareFile logout URL to "https://samlVIP/sflogout". This is working perfectly for me.

     

  • When APM is configured for both IdP and SP, the Single Logout (SLO) URIs (saml/sp/profile/post/sls and saml/sp/profile/post/slr) are expecting a POSTed SAMLRequest and SAMLResponse, respectively. When you click the logout button, a link to /vdesk/hangup.php3 on a SAML-based APM SP VIP, that should generate an auto-post to the sls URI with a SAMLRequest and to the IdP. The IdP responds with an auto-post to the slr URI and a SAMLResponse to the SP. I can't speak specifically for a third-party SP, but it should probably behave the same way. Can you take a packet capture and see if the SP is in fact POSTing a SAMLRequest to the IdP for SLO?

     

  • Using "./my.logout.php3", but it isn't redirecting to the logon page like we would like. Did you ever find anything with this?