Forum Discussion
Single Logout Request URL
We have setup the F5 APM to act as an IdP for Citrix Sharefile and have Single Sign On working. However when we create the IdP SAML and setup the external SP it created Single Logout Request and Response URLs as well. saml/sp/profile/post/sls and saml/sp/profile/post/slr
If we set the logout URL on Sharefile to the saml/sp/profile/post/sls it posts to that URL, but gets a 404 as it doesn't look like the APM is setup to service that url. And it doesn't do anything on the APM side to invalidate the assertion for the user so if they go back to the Sharefile login it uses the previous SAML assertion (sends them to the F5 login page and since that user still has a valid assertion it sends it back to sharefile and logs them in). How do we remove the assertion on clicking logout from Sharefile?
- Bryan_Vance_171Nimbostratus
I am interested in the solution for this as well. We just purchased ShareFile and I am researching setting up the DMZ proxy. Is there some config guidance for setting up the SAML IdP for ShareFile?
- Brian_ThompsonNimbostratus
Check your IdP metadata for your IdP Entity ID, it is likely that your URI is not actually /saml but rather something else, try sending a raw SLO request to this entityID and see what response you get, also be very familiar with the documentation found here https://support.f5.com/csp/article/K70726133
- Kevin_StewartEmployee
hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls
It depends on which one you're looking at. The single logout request URL for the external IdP connector of an APM SP would be /saml/idp/profile/post/sls. The single logout request URL for the external SP connector of an APM SP would be /saml/sp/profile/post/sls.
I think the theme of this post (among other things) was that Citrix ShareFile doesn't support SLO. Ben and MarkD came up with some pretty clever workarounds.
Hello,
F5 APM to act as an IdP ... saml/sp/profile/post/sls
hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls
Gabriel
- MarkD_01_143767Nimbostratus
This was my iRule. I attached this to my SAML VIP. All is well.
when HTTP_REQUEST { if { [HTTP::uri] equals "/sflogout" } { ACCESS::session remove HTTP::redirect "https://ourname.sharefile.com" } }
- aremondiniNimbostratus
Hi all,
I'd the same problem, I've modify your iRule and now works correctly! :)
when HTTP_REQUEST {
if { [HTTP::uri] equals "/cgi/urllogout" } {
ACCESS::session modify -timeout 1
HTTP::redirect "https:company.sharefile.com" } }
P.S. ACCESS:session remove seems doens't work, i've modify timeout in 1 sec.
- Peter_BaumannCirrostratusJust for your information... In v12 the SLO iRule doesn't seem to work anymore.
- Ben_Newport_102Nimbostratus
Looks like the html got stripped, surround this in script tags to remove the frame that Sharefile sends over:
window.top.location.href='https://"insert domain here"/vdesk/hangup.php3';
- Ben_Newport_102Nimbostratus
We found the same issue, but it isn't just that ShareFile doesn't support SLO its the fact that it sends to the logout URL framed which the F5 doesn't allow. We found that in some browsers we weren't actually getting logged out with MarkD's suggestion so we point it at a generic uri "/sharefile-logout" and break out the frame and then kill the session with the following iRule:
when HTTP_REQUEST { if {[HTTP::uri] equals "/sharefile-logout"} { HTTP::respond 200 content "Logging out.. " } }
when ACCESS_ACL_ALLOWED { if {[HTTP::uri] equals "/saml/sp/profile/post/sls/sharefile"} { ACCESS::session remove } }
This worked in all browsers and versions that we tested.
- MarkD_01_143767Nimbostratus
The thing here is that ShareFile doesn't support SLO yet. I wound up writing an iRule yesterday that intercepts a custom URI, kills the APM session, and redirects back to the ShareFile logon page. I just point the ShareFile logout URL to "https://samlVIP/sflogout". This is working perfectly for me.
- Kevin_StewartEmployee
When APM is configured for both IdP and SP, the Single Logout (SLO) URIs (saml/sp/profile/post/sls and saml/sp/profile/post/slr) are expecting a POSTed SAMLRequest and SAMLResponse, respectively. When you click the logout button, a link to /vdesk/hangup.php3 on a SAML-based APM SP VIP, that should generate an auto-post to the sls URI with a SAMLRequest and to the IdP. The IdP responds with an auto-post to the slr URI and a SAMLResponse to the SP. I can't speak specifically for a third-party SP, but it should probably behave the same way. Can you take a packet capture and see if the SP is in fact POSTing a SAMLRequest to the IdP for SLO?
- MarkD_01_143767Nimbostratus
Using "./my.logout.php3", but it isn't redirecting to the logon page like we would like. Did you ever find anything with this?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com