SAML SLO response data destination modification needed
I have the following requirement to modify the SAML response data in particular the SLO destination. The goal here is to finalize the end user session on both the SP mywebsite, IDP1 and IDP2 (this is a chained setup). With this config the session is being terminated on the IDP1 and IDP2 but still not on the SP, this is because the IDP1 sends the SAML SLO response to IDP1 with the SLO destination being IDP1/logmeout, when resending the POST request via redirect to end user and direct it back to mywebsite it reponds with 400 BAD requests, this is because of the SAML SLO data contains the old IDP/logmeout destination and need to be modified. The Irule I use, which is working when ACCESS_ACL_ALLOWED { if { [HTTP::uri] contains "/logmeout" } { log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]" ACCESS::session remove ACCESS::respond 307 Location "HTTPS://myredirectwebsite[HTTP::query]" } How can I be able to modify the SAML SLO payload to match the SLO destination of SP mywebsite without having to change the SP metadata of IDP1? I know in version 14.1 is the new feature ACCESS_SAML_SLO_RESP which would be highly suitable for this, but we use version 13. https://devcentral.f5.com/wiki/iRules.ACCESS_SAML_SLO_RESP.ashx The SAML POST DATA is: https://IDP2/logmeout (this part needs to be modified to the mywebsite destination) All recommendations are welcome.
SAML SLO fails
Configured BIGIP as IDP and ADFS plays the role of SP. SSO works as expected with no issues. When trying an SP initiated SLO from ADFS , an logout request is sent to BIGIP and in it return sends the Logout Resonse. But the status in the Logout Response is ** ** Verified the Signing certificates , SLO endpoints and bindings at both the IDP and SP. Still not able to find the issue ....
SAML SLO NameQualifier and SPNameQualifier attributes missing
We have external SAML 2 IdP which requires NameQualifier and SPNameQualifier attributes in NameID element set in the SAML LogoutRequest (SLO), like: NameQualifier="https://xxx.yyy.com/idp" SPNameQualifier="https://aaa.bbb.com/saml_sp"> AAdzZWNy...CtBxVYUk= Now APM (v 11.5.x) seems to send SAML SLO request without those attributes, which causes SLO to fail at the IdP end: AAdzZWNy...CtBxVYUk= Haven't seen any way to add those attributes, or am I missing something? Any ideas?SAML logout hangs on response
Hello all, using BIG-IP v11.4.1 (Build 635.0) as a SAML IdP. Actually - we are chaining authentication between 2 IdPs. On invoking a hangup link, the user us 'hanged' on a response url (/saml/idp/profile/post/slr) with following exception in the /var/log/apm: Sep 9 12:11:48 slot1/localhost err tmm1[8705]: 014d0002:3: SSOv2 plugin error(16) in sso/saml.c:6082 Sep 9 12:11:48 slot1/localhost err tmm2[8705]: 014d0002:3: SSOv2 plugin error(16) in sso/saml.c:6082 The posted response is a signed successful logout reply. Any idea anyone? We are aware there are lot of fixes up to the BIGIP 11.6, however it will take time until the client can upgrade and .. even I'm not sure it's related to any of the fixed issues. Best regards.. GabrielAPM SP with ADFS Single-Log-Out
Hi Folks, I'd like to ask for working sample configuration to perform a SAML based Single-Log-Out. Scenario: VS_1 -> APM Policy with SAML Pre-Auth via multiple ADFS Server(s) -> SharePoint with WS-Federation Auth using the same ADFS Server(s) VS_2 -> APM Policy with 2FA/AD Auth and Kerberos-SSO -> ADFS Server for Department 1 VS_N -> APM Policy with 2FA/AD Auth and Kerberos-SSO -> ADFS Server for Department N Problem: If a user initiates a logout on the SharePoint Site, just the APM session for VS_1 gets currently closed. If the user reopens the SharePoint page, the APM SAML authentication will get a fresh authentication from the ADFS Server since the APM session for this service hasn't been closed by the user initiated logout. Goal: Before I start to code an iRule that pulls off the SLO manually, I'd like to explore the possibilities of the build-in SAML SP Single-Sign-Out capabilities. Unfortunately I can't find any useful information how this may work out in conjunction with with APM SAML Pre-Auth, SharePoint and Microsoft ADFS Server behind another 2FA/AD Auth APM Policy. Cheers, Kai
SAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP. The SSO part runs well only the SLO makes problems. When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log showsSLO Request is received on SLO Response URL Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url. When i use theLocation url (/saml/sp/profile/redirect/sls) in Azureit is the other way around. In Azure the Help Text suggests using the response url. The SAML rfcis also not very helpful,it "only" describes the content. Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, theACCESS_SAML_SLO_REQ andACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion. Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other ideahow we can solve the problem?SAML SLO
Hi I am configuring F5 as a local SP bound to a Idp connector to an external SAML service and I am trying to figure out the logout and why it is not working. I get that uri "saml/sp/profile/post/sls" as part of the exported metadata for the local sp and the redirections are working fine (doing a POST as well) but it doesn't seem like this url is there, i keep getting an error connecting to the backend. Any ideas? F5 11.6 Virtual instance (test environment) with APM. We have two instances, one is in the DMZ for routing and the other one that is internal has the APM module and all the configuration for SAMLSAML SP single-logout-binding
Hello all, using F5 APM 1.14.2.HF2 as IdP. In the documentation it is stated for SLO only POST is supported (well, in some cases even for login, as the redirect signature is not correctly validated). So far good. The problem is, that some SP support only redirects for SLO and it is not possible to implement full SLO with such SP. We expect that redirect binding will be supported in some time in the future too (hopefully). The question is - there are APM SSO configuration properties not available via GUI, e.g. saml-sp-connector single-logout-binding. I already thought that would solve our problem (even without signing the SLO messsage), but - we see no way to provide a value. tmsh modify apm sso saml-sp-connector single-logout-binding ... What are allowed values? Would it even solve anything? Thank you all in advance Gabriel
Does BIG IP v11.5.3 support IDP SLO requests through REDIRECT or only POST?
Hopefully a easy question: in v12 the IDP supports SP requests for logout through Redirect and Post. I see this in the idP metdata 'SingleLogoutService ResponseLocation='options for HTTP-POST & HTTP-Redirect are present. We also support BIG IP v11.5.3, in the idP metadata and no HTTP-Redirect. Can we configure this somewhere in later versions (HTTP-Redirect) or is this only available in later releases? Unfortunately the attached SP only supports REDIRECT and SOAP. Before going down another rabbit hole of making changes on the SP I'm hoping there is a quick solution on the F5 (besides updating versions in the immediate term, but well overdue). Appreciate any help, as I'm still really new to BIG IP. Thanks in advance.
