APM Cookbook: SAML IdP Chaining
Hi Peter yes sure I can show you the Irule but it basically redirects the /saml/idp/profile/post/sls to the IDP (in my case it is also the F5 but you could send it to the external IDP) and then when you receive the reply then you let the SAML SLO process. In the irule you use ACCESS::restrict_irule_events disable to overrule APM decision making so it will get redirected before APM handles the SLO and then when we receive the reply you can type return so APM will process it and reply to the SLO towards the external APP.
One thing this whole Irule customization to have SLO propageted properly with layered IDP setup worked great in version 13.1 however now we have 15.1 and it does not work properly (root cause unknown) however I found that in version 15.1 SLO is now propagated accross all layered IDP so we have it now working without the customized Irule solution. There is no documented change in behavior between 13.1 and 15.1 regarding SLO but I can assure you that it works now by default and that is what we all want right ;-)
If you still want to see the irule let me know I would recommend to try it with version 15.1