Forum Discussion

Slayer001's avatar
Slayer001
Icon for Cirrus rankCirrus
Sep 09, 2019
Solved

Single logout doesn't work for Office 365 with F5 APM as Idp

Single sign-on works perfectly when setup with this guide: https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf   We use version 13.1.1.4 of F5 APM in our setup and used the b...
application delivery
BIG-IP Access Policy Manager (APM)
  • delv3chio's avatar
    delv3chio
    Sep 12, 2019

    This sounds like expected behavior.

     

    1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.

    Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.

    This would mean that SLO would work as expected from the SP standpoint.

     

    2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.

    If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.

    Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.

     

    3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.

     

    4.) As far as:

    'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'

     

    This is because there is not a completed SSO session to be removed based off the answers above.

delv3chio's avatar
delv3chio
Icon for Employee rankEmployee
Sep 12, 2019

This sounds like expected behavior.

 

1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.

Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.

This would mean that SLO would work as expected from the SP standpoint.

 

2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.

If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.

Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.

 

3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.

 

4.) As far as:

'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'

 

This is because there is not a completed SSO session to be removed based off the answers above.