cancel
Showing results for 
Search instead for 
Did you mean: 

SAML SLO Error

Johan_Lång
Cirrus
Cirrus

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.

 

For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to thier SLS, the ticket is destroyed at thier end, but bigip is throwing an error: "Internal error. Failed to process SAML request/response. Please try again or contact your system administrator if error persists."

With uri: /vdesk/my.acl.php3?errorcode=8001

 

The response is getting back successful from the IDP (as issuer) to Destination="https://<bigipadress>/saml/sp/profile/post/sls" with a succes code:

<samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

    </samlp:Status>

 

APM-log:

SAML SSO: SLO Response is received on SLO Request URL

SAML SSO: SLO Request not found in SAML message 'SAMLResponse=<base64decoded samlrequest>

SAML SSO: Error (12) in reading SP info from sessionDB

SAML SSO: Abort reason: Error in reading sp info from session db

 

The samlrequest as it appear in the log is not uri decoded, but if i look at the formdata in chrome everything looks fine.

 

I've also tried with redirect instead of post, but then i get the error in APM-log:

SAML SSO: SLO Request not found in SAML message ''

 

A workaround is to clear the SLO settings in the IDP-connector, in this case the APM-session is destroyed but the session from the IDP isnt.

 

Any suggestions to investigate this futher?

 

Thanks,

Johan

 

1 ACCEPTED SOLUTION

Johan_Lång
Cirrus
Cirrus

Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

 

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

 

Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

 

Waiting for the IDP to update bigips metadata with only:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

 

Could this cause any trouble?

 

View solution in original post

10 REPLIES 10

Johan_Lång
Cirrus
Cirrus

Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

 

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

 

Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

 

Waiting for the IDP to update bigips metadata with only:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

 

Could this cause any trouble?

 

IRONMAN
Cirrostratus
Cirrostratus

Hi, I am developed same solution and is there any specific format of saml logout request?​

What do you mean? 🙂

The IDP did not read the "ResponseLocation", instead i had to get rid of that, and only publish the /slr url instead of the /sls

HI Johan,

 

we are develping own SAML Solution and F5 Acting as IDP here. we not have format of SLO request from SP to IDP, we getting error in F5 Deflate error, not sure it is any encrypted , we

want SLO Request from SP to IDP format, no Sign, no encryption format !

 

we are using below format and it is getting error . it is send from SP to IDP(F5)

 

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"ID="ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d"Version="2.0"IssueInstant="2014-07-18T01:13:06Z" Destination="https://F5IDP.COM/saml/idp/profile/redirect/sls">  

 <saml:Issuer>https://SP.COM/SAML-logout.go</saml:Issuer>

 <saml:NameID SPNameQualifier="https://SP.com/SAML-logout.go" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>

</samlp:LogoutRequest>

 

legan
Nimbostratus
Nimbostratus

I run into the same issue and I'm not able to resolve this. I have setup APM with Azure AD as a SAML IdP.

All works fine, until I logout. I have created a redirect rule that redirects like this:

 

when HTTP_REQUEST {

if {[HTTP::uri] starts_with "/saml/sp/profile/post/sls"} {

  set new_uri [string map {"/saml/sp/profile/post/sls" "/saml/sp/profile/post/slr"} [HTTP::uri]]

HTTP::respond 307 noserver Location https://[HTTP::host]$new_uri

}

}

 

So, this request is redirected:

 

request: https://VPNbox/saml/sp/profile/post/sls?SAMLResponse=...

location: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

 

But on this request I receive the same error response page:

 

request: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

location: /vdesk/my.acl.php3?errorcode=8001

 

We would lilke to start a pilot, but this is a blocking issue at the moment.

 

I have also tried setting the logout URL in Azure AD to https://VPNbox/saml/sp/profile/post/slr directly, but that also gives me the redirect to the /vdesk/my.acl.php3?errorcode=8001 URI.

​What does the APM log says?

 

Was a while ago but there was alot of issues with "reposts" with 307, when it comes to SAML.

I would suggest that you manipulate the metadata from your bigip-SP connector and then reimport it into Azure AD. simply remove SLS. and remove the resoponder attribute and Place the slr after location, 

Like this:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<name.domain.com>/saml/sp/profile/post/slr"> </SingleLogoutService>

 

Also make sure that you are using the right binding, Edit SAML SP Connector > SLO Service Settings > Single Logout Binding: POST (if you're using post).

legan
Nimbostratus
Nimbostratus

I did already set the Logout Url in the Azure AD app registration to : https:/vpnbox/saml/sp/profile/post/slr, but that also redirected me to vdesk/my.acl.php3?errorcode=8001.

I have now done as you said: modified the XML and uploaded and I only see the Logout URL change, so I expect it's the same as what I did when manually changing the Logout URL in Azure AD.

 

APM log says:/Common/cpp_cra_aad_mfa:Common:22da7c68:SAML SSO: Invalid SLO request path. Expected (/saml/sp/profile/redirect/slr), received (/saml/sp/profile/post/slr?SAMLResponse=...).

​Have you kept HTTP-redirect binding in the metadata? try to remove that and only keep HTTP-Post.

Because as the APM log indicates, Azure sends it as a GET/Redirect (look at the traffic with chrome + f12 and preferly with a saml-trace tool) and not a POST. You can also try to change that manually from Azure, using POST as a reponse instead of Redirect (if that is possible).

If the only solution is to use redirect, then only provide http-redirect as a binding in your metadata from big-ip, and change the location to /saml/sp/profile/redirect/slr

legan
Nimbostratus
Nimbostratus

I cannot modify that in Azure and indeed, it does a GET instead of a POST. Azure documentation says: 'This URL is used to send the SAML Logout response back to the application.'

Now I have set it to https://vpnbox/saml/sp/profile/redirect/slr and that works fine.

Thank you for you assistance!

​Glad to help 🙂