slo
12 TopicsSAML SLO NameQualifier and SPNameQualifier attributes missing
We have external SAML 2 IdP which requires NameQualifier and SPNameQualifier attributes in NameID element set in the SAML LogoutRequest (SLO), like: NameQualifier="https://xxx.yyy.com/idp" SPNameQualifier="https://aaa.bbb.com/saml_sp"> AAdzZWNy...CtBxVYUk= Now APM (v 11.5.x) seems to send SAML SLO request without those attributes, which causes SLO to fail at the IdP end: AAdzZWNy...CtBxVYUk= Haven't seen any way to add those attributes, or am I missing something? Any ideas?Solved2.1KViews0likes10CommentsSAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP. The SSO part runs well only the SLO makes problems. When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log showsSLO Request is received on SLO Response URL Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url. When i use theLocation url (/saml/sp/profile/redirect/sls) in Azureit is the other way around. In Azure the Help Text suggests using the response url. The SAML rfcis also not very helpful,it "only" describes the content. Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, theACCESS_SAML_SLO_REQ andACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion. Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other ideahow we can solve the problem?Solved2KViews1like5CommentsSAML SLO
Hi I am configuring F5 as a local SP bound to a Idp connector to an external SAML service and I am trying to figure out the logout and why it is not working. I get that uri "saml/sp/profile/post/sls" as part of the exported metadata for the local sp and the redirections are working fine (doing a POST as well) but it doesn't seem like this url is there, i keep getting an error connecting to the backend. Any ideas? F5 11.6 Virtual instance (test environment) with APM. We have two instances, one is in the DMZ for routing and the other one that is internal has the APM module and all the configuration for SAML765Views0likes5CommentsSAML SLO fails
Configured BIGIP as IDP and ADFS plays the role of SP. SSO works as expected with no issues. When trying an SP initiated SLO from ADFS , an logout request is sent to BIGIP and in it return sends the Logout Resonse. But the status in the Logout Response is ** ** Verified the Signing certificates , SLO endpoints and bindings at both the IDP and SP. Still not able to find the issue ....699Views0likes4CommentsAPM SP with ADFS Single-Log-Out
Hi Folks, I'd like to ask for working sample configuration to perform a SAML based Single-Log-Out. Scenario: VS_1 -> APM Policy with SAML Pre-Auth via multiple ADFS Server(s) -> SharePoint with WS-Federation Auth using the same ADFS Server(s) VS_2 -> APM Policy with 2FA/AD Auth and Kerberos-SSO -> ADFS Server for Department 1 VS_N -> APM Policy with 2FA/AD Auth and Kerberos-SSO -> ADFS Server for Department N Problem: If a user initiates a logout on the SharePoint Site, just the APM session for VS_1 gets currently closed. If the user reopens the SharePoint page, the APM SAML authentication will get a fresh authentication from the ADFS Server since the APM session for this service hasn't been closed by the user initiated logout. Goal: Before I start to code an iRule that pulls off the SLO manually, I'd like to explore the possibilities of the build-in SAML SP Single-Sign-Out capabilities. Unfortunately I can't find any useful information how this may work out in conjunction with with APM SAML Pre-Auth, SharePoint and Microsoft ADFS Server behind another 2FA/AD Auth APM Policy. Cheers, Kai654Views0likes5CommentsRemoving the SAML assertion from the APM session
Hi all, I have the F5 APM 11.6 configured as the SAML idP. Configured an external SP and the login SSO is working as expected. When the user hits the logout button from the external application, the session and the SAML assertion is not removed from the APM so the user is redirected right back in the external application. Has anybody seen this before? I configured the Single Logout Request URL for the application logout button URL and the Single logout response URL to /vdesk/hangup.php3 from the SP connector but nothing seems to happen.448Views0likes4CommentsSAML SP single-logout-binding
Hello all, using F5 APM 1.14.2.HF2 as IdP. In the documentation it is stated for SLO only POST is supported (well, in some cases even for login, as the redirect signature is not correctly validated). So far good. The problem is, that some SP support only redirects for SLO and it is not possible to implement full SLO with such SP. We expect that redirect binding will be supported in some time in the future too (hopefully). The question is - there are APM SSO configuration properties not available via GUI, e.g. saml-sp-connector single-logout-binding. I already thought that would solve our problem (even without signing the SLO messsage), but - we see no way to provide a value. tmsh modify apm sso saml-sp-connector single-logout-binding ... What are allowed values? Would it even solve anything? Thank you all in advance Gabriel426Views0likes1CommentSAML SLO error
Hey, We are using APM as a SAML IdP for authenticating smartcard users. Authentication works fine and users are able to use the SAML SP service, but as they try to logout the user is redirected back to the IdP and the browser session dies. The browser seems to stay in the IdP SLO url (/saml/idp/profile/sls) without ever redirecting back to the SP SLO urls. Firefox states that a secure connection can't be established. From apm log I can see the following error: SSOv2 plugin error(18) in sso/saml.c:6276 I tried to find the meaning of the error, but so far I've found nothing for error 18. Any ideas? We are running version 11.5.1 HF10408Views0likes2CommentsSAML SLO response data destination modification needed
I have the following requirement to modify the SAML response data in particular the SLO destination. The goal here is to finalize the end user session on both the SP mywebsite, IDP1 and IDP2 (this is a chained setup). With this config the session is being terminated on the IDP1 and IDP2 but still not on the SP, this is because the IDP1 sends the SAML SLO response to IDP1 with the SLO destination being IDP1/logmeout, when resending the POST request via redirect to end user and direct it back to mywebsite it reponds with 400 BAD requests, this is because of the SAML SLO data contains the old IDP/logmeout destination and need to be modified. The Irule I use, which is working when ACCESS_ACL_ALLOWED { if { [HTTP::uri] contains "/logmeout" } { log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]" ACCESS::session remove ACCESS::respond 307 Location "HTTPS://myredirectwebsite[HTTP::query]" } How can I be able to modify the SAML SLO payload to match the SLO destination of SP mywebsite without having to change the SP metadata of IDP1? I know in version 14.1 is the new feature ACCESS_SAML_SLO_RESP which would be highly suitable for this, but we use version 13. https://devcentral.f5.com/wiki/iRules.ACCESS_SAML_SLO_RESP.ashx The SAML POST DATA is: https://IDP2/logmeout (this part needs to be modified to the mywebsite destination) All recommendations are welcome.406Views0likes5CommentsSAML logout hangs on response
Hello all, using BIG-IP v11.4.1 (Build 635.0) as a SAML IdP. Actually - we are chaining authentication between 2 IdPs. On invoking a hangup link, the user us 'hanged' on a response url (/saml/idp/profile/post/slr) with following exception in the /var/log/apm: Sep 9 12:11:48 slot1/localhost err tmm1[8705]: 014d0002:3: SSOv2 plugin error(16) in sso/saml.c:6082 Sep 9 12:11:48 slot1/localhost err tmm2[8705]: 014d0002:3: SSOv2 plugin error(16) in sso/saml.c:6082 The posted response is a signed successful logout reply. Any idea anyone? We are aware there are lot of fixes up to the BIGIP 11.6, however it will take time until the client can upgrade and .. even I'm not sure it's related to any of the fixed issues. Best regards.. Gabriel308Views0likes1Comment