SAML SLO fails
Configured BIGIP as IDP and ADFS plays the role of SP. SSO works as expected with no issues. When trying an SP initiated SLO from ADFS , an logout request is sent to BIGIP and in it return sends the Logout Resonse. But the status in the Logout Response is ** ** Verified the Signing certificates , SLO endpoints and bindings at both the IDP and SP. Still not able to find the issue ....
Single Logout Request URL
We have setup the F5 APM to act as an IdP for Citrix Sharefile and have Single Sign On working. However when we create the IdP SAML and setup the external SP it created Single Logout Request and Response URLs as well. saml/sp/profile/post/sls and saml/sp/profile/post/slr If we set the logout URL on Sharefile to the saml/sp/profile/post/sls it posts to that URL, but gets a 404 as it doesn't look like the APM is setup to service that url. And it doesn't do anything on the APM side to invalidate the assertion for the user so if they go back to the Sharefile login it uses the previous SAML assertion (sends them to the F5 login page and since that user still has a valid assertion it sends it back to sharefile and logs them in). How do we remove the assertion on clicking logout from Sharefile?SharePoint and SAML Single Log Out
I have an APM Policy doing SAML authN client side (APM is the SAML service provider) and Kerberos AuthN server side. All working well there. Dealing with Single Log Out and I want both the APM session cleared as well as the external IdP session so need to do SP initiated Single Log Out over SAML. Because of RFE ID 440234 where the APM policy does not detect the logout URI when there are various paths before the defined Logout URI, I have the following iRule taking care of detecting and initiating Single Log Out. when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/_layouts/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/mobile/authn_signout.aspx"} { HTTP::respond 302 Location "/my.logout.php3" } } This works perfectly and clears both APM Session, as well as takes care of the SAML Single Log out. The only problem is that the user ends up at the F5 Logout page at a URI of: /vdesk/hangup.php3 I Need the user to get sent back to the host name that existed when the above iRule was triggered to log out the user. Similar to how the vdesk/hangup.php3 has a link "To open a new session, please click here" that simply sends the user back to the host name they just logged out from, and in my case starts the SAML Single Sign On flow dropping them as the IdP logon page. Any creative ideas on how to get the user back to the host name after this type of login? The desired behavior is what I get when I do NOT use an irule, and leverage the APM Policy "Logout URI include" option, but then I have the issue that any URI that is not at the root host name is not picked up (ID 440234) as a logout request and user is not signed out at all. Thanks E.R.