cancel
Showing results for 
Search instead for 
Did you mean: 

APM: how configure logout user session

Massimo_Ruscian
Nimbostratus
Nimbostratus

Hi, I have 3 different web applications behind a BigIP VS which does Kerberos authentication. I need to understand how terminate user sessions on all three of the applications when a user logs out from just one of them. With my actual configuration if I have a user logged on "application1" and "application2" and the user perform logout from the "application2" he is redirected to "application1". I need that when a user perform logout from one application all session will be terminated without any redirect.

 

Thanks in advance for your support.

 

6 REPLIES 6

woytaz
Nimbostratus
Nimbostratus

Hi,

 

Use Logout URI Include in APM profile or change the link on the logout button on the application to

 

/vdesk/hangup.php3

 

1 solution - APM will kill the session after default 5 seconds

 

2 solution - APM will kill the session immediately

 

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

Hi

 

Did you addd a "Logout URL" in your policy properties ? Just check what URL is used in the application1 and application 2 to logout, and add them as logout urls in the Access Policy properties..

 

Like this login out of one of them will end all sessions, including APM Session.

 

Kai_Wilke
MVP
MVP

Hi Massimo,

 

in addition to the solution explained by Woytaz and Yoann, you could also deploy an iRule to implement SLO (Single-Log-Off) for your applications.

 

Using an iRule is the most flexible approach and will be your last chance if:

 

  1. You can't change the Logoff buttons of the individual Web-Applications
  2. The Logoff action is triggered by using query-string parameters (e.g. ?logoff=true).
  3. You want to delete some backend session cookies in addition to the APM session cookies.

The required iRule will basically inspect incomming web requests and searches for configured logoff signatures. Once a logoff signature is identified, it will perform a HTTP redirect to APM logoff page where the APM user session will be destroyed.

 

when HTTP_REQUEST { switch -glob -- [HTTP::uri] { "*/somefile.ext?logoff=true" { HTTP::respond 307 content "Document MovedObject MovedThis document may be found " \ noserver \ "Content-Type" "text/html" \ "Location" "/vdesk/hangup.php3" } "?killsession=true" { HTTP::respond 307 content "Document MovedObject MovedThis document may be found " \ noserver \ "Content-Type" "text/html" \ "Location" "/vdesk/hangup.php3" } } }

Note: You have stated that you use Kerberos authentication for your backend application. In many cases the Kerberos authentication will be used just to retrieve a session cookie for further website access. If security is a concern you may want to clear those cookies during the redirect to APMs logoff page by adding a Set-Cookie parameter and value to the HTTP::redirect command.

 

... "Content-Type" "text/html" \ "Set-Cookie" "AppAuthCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT;Path=/;Secure;HttpOnly" \ "Location" "/vdesk/hangup.php3" ...

Note: For some customers I've implemented a APM-session based Cookie-Proxy which intercepts session cookies send by the backend application, stores them into the users APM session and injects them back on server side request, so that the browser does not need to store those sensitive cookies. Let me know if this sounds interesting for you...

 

Cheers, Kai

 

Massimo_Ruscian
Nimbostratus
Nimbostratus

I also added /vdesk/hangup.php3 into my access profile, but I receive always the same error.

 

Massimo_Ruscian
Nimbostratus
Nimbostratus

Hi, I performed other test.

 

Scenario N.1 - Login only on SERVICE-A -

 

When I do the logout from SERVICE-A the browser was correctly redirected to the url

 

I can see into the APM log the session correctly disconnected: info tmm[18552]: 014d1704:6: /Common/multi_sp.access.profile_v1.3:Common:407a1a3a:SAML SSO: Successfully verified SAML message signature notice tmm[18552]: 01490501:5: /Common/multi_sp.access.profile_v1.3:Common:407a1a3a: Session deleted due to user logout request.

 

Scenario N.2 - Login on SERVICE-A and SERVICE-B -

 

When I do the logout from SERVICE-A the browser was correctly redirected to the url but after perform a GET on I can see into the APM log the session redirected to SERVICE-B with the Assertion.

 

Any Idea on I can fix the issue?

 

Thanks to all.

 

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

Hi Massimo,

 

correct me if I'm wrong, but I searched on the whole thread and I didn't find any information about SAML on initial question and following comments.

 

The answer provided from Kai may not work because of this missing but required information.

 

So now, Can you provide any informations required to help you troubleshoot.

 

  • Where is the IdP? on the BigIP?
  • Where are SP? on the BigIP?

when you ask to logout with SLO enabled, the process is the following:

 

  1. user request an access to Service1 --> redirect to IdP for authentication with assertion
  2. user authenticate on IdP --> redirect to SP Service1 with assertion
  3. user request an access to Service2 --> redirect to IdP for authentication with assertion
  4. user is already authenticated on IdP --> redirect to SP Service1 with assertion
  5. user request a logout on Service2 --> redirect to IdP for logout
  6. user request a logout on IdP --> redirect to Service1 for logout
  7. user request a logout on Service1 --> redirect to IdP to confirm Logout
  8. user request a logout on IdP --> redirect to Service2 to confirm Logout of all SP which used same session
  9. user request a logout on Service2 --> The session on Service2 is closed only when this request is received on APM

If One SLO request fails, the session is not closed on Service2