Forum Discussion
Marvin
Apr 10, 2019Cirrocumulus
The following Irule works when the logout SLO request comes back to IDP1 for generating the SLO respons we modify the uri by removing the appended query and Access Policy now accepts the requests and send the SLO response back to the SP. This way both IDP and application are logged out correctly.
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST
{
if { [HTTP::uri] contains "saml/idp/profile/post/sls" and [string tolower [HTTP::query]] contains "myreferer"} {
log local0. "second logout from IDP requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
HTTP::uri /saml/idp/profile/post/sls
log local0. "second logout with modified uri [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
return
}
if { [HTTP::uri] contains "saml/idp/profile/post/sls" } {
log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
HTTP::respond 307 Location "https://IDP2/logmeout"
log local0. "SLO from SP detected and redirected"
}
else {
return
}
}