Forum Discussion

Eric_Raff_11012's avatar
Eric_Raff_11012
Icon for Nimbostratus rankNimbostratus
Feb 25, 2015

SharePoint and SAML Single Log Out

I have an APM Policy doing SAML authN client side (APM is the SAML service provider) and Kerberos AuthN server side. All working well there. Dealing with Single Log Out and I want both the APM session cleared as well as the external IdP session so need to do SP initiated Single Log Out over SAML.

 

Because of RFE ID 440234 where the APM policy does not detect the logout URI when there are various paths before the defined Logout URI, I have the following iRule taking care of detecting and initiating Single Log Out.

 

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/_layouts/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/mobile/authn_signout.aspx"} { HTTP::respond 302 Location "/my.logout.php3" } }

 

This works perfectly and clears both APM Session, as well as takes care of the SAML Single Log out. The only problem is that the user ends up at the F5 Logout page at a URI of: /vdesk/hangup.php3 I Need the user to get sent back to the host name that existed when the above iRule was triggered to log out the user. Similar to how the vdesk/hangup.php3 has a link "To open a new session, please click here" that simply sends the user back to the host name they just logged out from, and in my case starts the SAML Single Sign On flow dropping them as the IdP logon page.

 

Any creative ideas on how to get the user back to the host name after this type of login?

 

The desired behavior is what I get when I do NOT use an irule, and leverage the APM Policy "Logout URI include" option, but then I have the issue that any URI that is not at the root host name is not picked up (ID 440234) as a logout request and user is not signed out at all.

 

Thanks E.R.

 

BIG-IP Access Policy Manager (APM)
management
saml
security
sharepoint
single logout request

5 Replies

Sort By
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Feb 25, 2015

    How about something like this:

    when HTTP_REQUEST { 
            if { [string tolower [HTTP::uri]] contains "/_layouts/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/mobile/authn_signout.aspx"} { 
                ACCESS::session remove
                ACCESS::respond 302 Location "http://[HTTP::host]" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
             }
    }
  • Eric_Raff_11012's avatar
    Eric_Raff_11012
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2015

    Hmm, it does not like the ACCESS:: commands as part of the HTTP_REQUEST. I get this error?: [command is not valid in current event context (HTTP_REQUEST)][ACCESS::respond 302 Location "https://[HTTP::host]" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"] Will look around to see what I can find. I get your suggesting to use the APM ACCESS:: commands to kill the session then redirect. Thanks

     

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Feb 25, 2015
      Right, copied and pasted that from elsewhere. ACCESS::session remove should work, but you could try HTTP::respond instead of ACCESS::respond.
    • Eric_Raff_11012's avatar
      Eric_Raff_11012
      Icon for Nimbostratus rankNimbostratus
      Feb 25, 2015
      Right HTTP::respond worked but still have a couple issues. 1) it is not performing SAML Single Log Out, and as a result when I get the APM session killed, and 2) when I get redirected back to the HTTP::host, APM initiates a new SAML request and the IdP still has a session for me so it does not appear as the user was ever logged out as indeed they were not logged out from the IdP. That is what I like about the redirect to /my.logout.php3 that piece took care of the SAML Logout for me. So it is not quite as simple as killing the APM session then redirecting to the desired HOST in my use case. Need to have the SAML Single Log Out piece in there as well. Need a Redirect to /my.logout.php3 and then another redirect to the initial host somehow. Thanks
  • Eric_Raff_11012's avatar
    Eric_Raff_11012
    Icon for Nimbostratus rankNimbostratus
    Dec 07, 2015

    We did go down the road of modifying the logout.inc file for the policy. We did not do a function(0nL0ad) because we needed all the code on the logout.inc to run which takes care of all the session clean up etc. We simply added one line of code at the bottom of the logout.inc file just before the tag of:

     

    window.location = " logout landing page";

     

    The irule applied to the VIP then simply was this:

     

    when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/_layouts/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/mobile/authn_signout.aspx"} { HTTP::respond 302 Location "/my.logout.php3" } }

     

    Problem solved. :-)