SAML SLO
Hi I am configuring F5 as a local SP bound to a Idp connector to an external SAML service and I am trying to figure out the logout and why it is not working. I get that uri "saml/sp/profile/post/sls" as part of the exported metadata for the local sp and the redirections are working fine (doing a POST as well) but it doesn't seem like this url is there, i keep getting an error connecting to the backend. Any ideas? F5 11.6 Virtual instance (test environment) with APM. We have two instances, one is in the DMZ for routing and the other one that is internal has the APM module and all the configuration for SAML
Storefront logout and re-authenticate with no prompt for credentials
Hi, We've integrated citrix storefront with F5 (11.6.2) recently by using iApp . Everything works great but we have an issue with the authentication to the storefront once user logs off from the citrix, Users are able to logon without prompting for username and password when clicked on logon. We are using Imprivata for Radius and its MFA. Any help would be much appreciated. FYI: no user sessions should be terminated after logout is enabled.
Logout URI in APM seems not work
Hi, I'm using LT+APM mode to authenticate users on a web application. The url to connect on application is https://toto.com/. Once is connected to application he is able to deconnect with a logout button. I configured on my access policie a logout URI: /logout.jsp. When the users click on the logout, he is redirected to the correct page https://toto.com/logout.jsp After a times he tries to connect again to the web app https://toto.com, but the APM doesn't ask again a the client credentials. Normally, after the logout.jsp, the APM must delete session, but it seems not. Any idea about this ? Beb
Does BIG IP v11.5.3 support IDP SLO requests through REDIRECT or only POST?
Hopefully a easy question: in v12 the IDP supports SP requests for logout through Redirect and Post. I see this in the idP metdata 'SingleLogoutService ResponseLocation='options for HTTP-POST & HTTP-Redirect are present. We also support BIG IP v11.5.3, in the idP metadata and no HTTP-Redirect. Can we configure this somewhere in later versions (HTTP-Redirect) or is this only available in later releases? Unfortunately the attached SP only supports REDIRECT and SOAP. Before going down another rabbit hole of making changes on the SP I'm hoping there is a quick solution on the F5 (besides updating versions in the immediate term, but well overdue). Appreciate any help, as I'm still really new to BIG IP. Thanks in advance.Citrix iApp and logout scenarios
We are currently front ending our Citrix xenapp farm with the BigIP using the citrix iApp. Using our old citrix web gateways to authenticate to citrix, our users were able to log out of the web gateway interfaces and continue working in the published app or full desktop they had loaded without being disconnected. Our new implementation using the BigIP disconnects the user from both the portal page and the current citrix session when the user logs out of the portal. Is there a way to maintain the citrix published app/full desktop connection even after a logout or timeout on the initial portal page? In addition, if a user closes their browser while logged into the portal page and their session is still active, is there a way to force the user back to that session without logging them out of their current session and establishing a new one (ultimately requiring them to re login)? Thanks in advance, this is my first F5 implementation. -GR