cancel
Showing results for 
Search instead for 
Did you mean: 

SAML: F5 as SP, Azure as IdP Problems with SLO

jk20004
Cirrus
Cirrus

We use the F5 as SAML SP and Azure as SAML IdP.

The SSO part runs well only the SLO makes problems.

When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log shows SLO Request is received on SLO Response URL

jk20004_0-1661345834587.png

jk20004_1-1661345942251.png

Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url.

When i use the Location url (/saml/sp/profile/redirect/sls) in Azure it is the other way around.

In Azure the Help Text suggests using the response url.

jk20004_2-1661346018626.png

The SAML rfc is also not very helpful, it "only" describes the content.

Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, the ACCESS_SAML_SLO_REQ and ACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion.

Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other idea how we can solve the problem?

 

 

1 ACCEPTED SOLUTION

Have you seen the guide below as it is saying the SLO url /saml/sp/profile/redirect/slo ?

------

From TMOS v16 the SAML SLO endpoint has changed to /saml/sp/profile/redirect/slo.

----------

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-big-ip-header-advanced

View solution in original post

5 REPLIES 5

Better enable better policy debug and use a SAML decode side as mentioned below. Hope it helps:

 

https://support.f5.com/csp/article/K41437771

https://support.f5.com/csp/article/K51854802

 

jk20004
Cirrus
Cirrus

the necessary error messages are already visible in the log and we have already successful decoded the assertion.
The problem is that Azure does not have a SLO url for request and one for response.

an attempt to correct the request url also fails because F5 additionally looks at the url in the assertion and to correct that we only found the way to use iRuleLX but there we have no experience also in terms of performance and interaction. (SLO at Azure only works with the Assertion in the url as parameter and there compress is used)

Have you seen the guide below as it is saying the SLO url /saml/sp/profile/redirect/slo ?

------

From TMOS v16 the SAML SLO endpoint has changed to /saml/sp/profile/redirect/slo.

----------

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-big-ip-header-advanced

jk20004
Cirrus
Cirrus

this is exactly the info i was looking for, thanks!
The only problem is that we are still on 15 and can not go to 16 because there is a bug with the OneConnect profile that f5 can not / will not solve but we hope for the next 17er release

Still you can try to follow the Microsoft guide even for 15.1.x or 16.1.x (upgrade to the latest ones) as you have configured the correct old loggout URL. F5 and Microsoft have great integrations and they are partners so SLO should work with Azure as you see even Microsoft has guide for F5 APM. If needed open cases to F5 and Microsoft if the guide does not help as per Microsoft Azure Guide the Azure SLO should work with F5 APM.

---------------

Service Provider settings for SLO

Redirect Binding URLs for SLO: