Forum Discussion

Adam_Ingle_1300's avatar
Adam_Ingle_1300
Icon for Cirrus rankCirrus
Jun 01, 2016
Solved

APM Forms SSO Session Logout Error Page

Good day! I am trying to get my policy to recognize when the page /Login/LogOff is being accessed. I'm using Forms Based SSO to front-end an application which is working successfully, but when the...
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Jun 01, 2016

    If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set logout 0
    if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1}
}
when HTTP_RESPONSE {
    if {$logout}{
        log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3"
        HTTP::header replace "Location" "/vdesk/hangup.php3"
    }
}
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jun 01, 2016

Hi,

You should use the following instead or configure the logout setting in the access profile directly :

when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] equals "/Login/LogOff" } {
        ACCESS::respond 302 Location "http://[HTTP::host]/vdesk/hangup.php3"
    }
}
  • Adam_Ingle_1300's avatar
    Adam_Ingle_1300
    Icon for Cirrus rankCirrus
    Jun 01, 2016
    Yann, thank you very much for the reply. I did try the suggested iRule as well as the logout settings in the profile. Both together and separate without success. I am still presented with the error mentioned above. I am working with the application owners as I believe when the "log off" button is selected, rather than a final landing page, I believe the application is terminating the session and using a 302 redirect to return the user to the login page. Which is exactly what I want the APM to do as well. So there may be a conflict with the application response and the APM's response to the end user.