APM: how configure logout user session

Hi,

Use Logout URI Include in APM profile or change the link on the logout button on the application to

/vdesk/hangup.php3

1 solution - APM will kill the session after default 5 seconds

2 solution - APM will kill the session immediately

Hi

Did you addd a "Logout URL" in your policy properties ? Just check what URL is used in the application1 and application 2 to logout, and add them as logout urls in the Access Policy properties..

Like this login out of one of them will end all sessions, including APM Session.

Hi Massimo,

in addition to the solution explained by Woytaz and Yoann, you could also deploy an iRule to implement SLO (Single-Log-Off) for your applications.

Using an iRule is the most flexible approach and will be your last chance if:

1. You can't change the Logoff buttons of the individual Web-Applications
2. The Logoff action is triggered by using query-string parameters (e.g.

   ?logoff=true

   ).
3. You want to delete some backend session cookies in addition to the APM session cookies.

The required iRule will basically inspect incomming web requests and searches for configured logoff signatures. Once a logoff signature is identified, it will perform a HTTP redirect to APM logoff page where the APM user session will be destroyed.

when HTTP_REQUEST {
    switch -glob -- [HTTP::uri] {    
        "*/somefile.ext?logoff=true" {
            HTTP::respond 307 content "Document MovedObject MovedThis document may be found " \
                                noserver \
                                "Content-Type" "text/html" \
                                "Location" "/vdesk/hangup.php3"                             
        }
        "?killsession=true" {
            HTTP::respond 307 content "Document MovedObject MovedThis document may be found " \
                                noserver \
                                "Content-Type" "text/html" \
                                "Location" "/vdesk/hangup.php3"
        }
    }
}

Note: You have stated that you use Kerberos authentication for your backend application. In many cases the Kerberos authentication will be used just to retrieve a session cookie for further website access. If security is a concern you may want to clear those cookies during the redirect to APMs logoff page by adding a

Set-Cookie

HTTP::redirect

...
"Content-Type" "text/html" \                              
"Set-Cookie" "AppAuthCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT;Path=/;Secure;HttpOnly" \
"Location" "/vdesk/hangup.php3"
...  

Note: For some customers I've implemented a APM-session based Cookie-Proxy which intercepts session cookies send by the backend application, stores them into the users APM session and injects them back on server side request, so that the browser does not need to store those sensitive cookies. Let me know if this sounds interesting for you...

Cheers, Kai

I also added /vdesk/hangup.php3 into my access profile, but I receive always the same error.

Hi, I performed other test.

Scenario N.1 - Login only on SERVICE-A -

When I do the logout from SERVICE-A the browser was correctly redirected to the url

I can see into the APM log the session correctly disconnected: info tmm[18552]: 014d1704:6: /Common/multi_sp.access.profile_v1.3:Common:407a1a3a:SAML SSO: Successfully verified SAML message signature notice tmm[18552]: 01490501:5: /Common/multi_sp.access.profile_v1.3:Common:407a1a3a: Session deleted due to user logout request.

Scenario N.2 - Login on SERVICE-A and SERVICE-B -

When I do the logout from SERVICE-A the browser was correctly redirected to the url but after perform a GET on I can see into the APM log the session redirected to SERVICE-B with the Assertion.

Any Idea on I can fix the issue?

Thanks to all.

Hi Massimo,

correct me if I'm wrong, but I searched on the whole thread and I didn't find any information about SAML on initial question and following comments.

The answer provided from Kai may not work because of this missing but required information.

So now, Can you provide any informations required to help you troubleshoot.

• Where is the IdP? on the BigIP?
• Where are SP? on the BigIP?

when you ask to logout with SLO enabled, the process is the following:

1. user request an access to Service1 --> redirect to IdP for authentication with assertion
2. user authenticate on IdP --> redirect to SP Service1 with assertion
3. user request an access to Service2 --> redirect to IdP for authentication with assertion
4. user is already authenticated on IdP --> redirect to SP Service1 with assertion
5. user request a logout on Service2 --> redirect to IdP for logout
6. user request a logout on IdP --> redirect to Service1 for logout
7. user request a logout on Service1 --> redirect to IdP to confirm Logout
8. user request a logout on IdP --> redirect to Service2 to confirm Logout of all SP which used same session
9. user request a logout on Service2 --> The session on Service2 is closed only when this request is received on APM

If One SLO request fails, the session is not closed on Service2