Forum Discussion

Johan_Lång's avatar
Mar 16, 2020
Solved

SAML SLO Error

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.   For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to ...
  • Johan_Lång's avatar
    Mar 16, 2020

    Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

     

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

     

    Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

     

    Waiting for the IDP to update bigips metadata with only:

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

     

    Could this cause any trouble?