Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM: how configure logout user session

Hi, I have 3 different web applications behind a BigIP VS which does Kerberos authentication. I need to understand how terminate user sessions on all three of the applications when a user logs out from just one of them. With my actual configuration if I have a user logged on "application1" and "application2" and the user perform logout from the "application2" he is redirected to "application1". I need that when a user perform logout from one application all session will be terminated without any redirect.

Thanks in advance for your support.

0
Rate this Question
Comments on this Question
Comment made 1 month ago by Yoann Le Corvic 79

Hi

Did you addd a "Logout URL" in your policy properties ? Just check what URL is used in the application1 and application 2 to logout, and add them as logout urls in the Access Policy properties..

Like this login out of one of them will end all sessions, including APM Session.

0
Comment made 1 month ago by Massimo Rusciano 54

I also added /vdesk/hangup.php3 into my access profile, but I receive always the same error.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Use Logout URI Include in APM profile or change the link on the logout button on the application to

/vdesk/hangup.php3

1 solution - APM will kill the session after default 5 seconds

2 solution - APM will kill the session immediately

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Massimo,

in addition to the solution explained by Woytaz and Yoann, you could also deploy an iRule to implement SLO (Single-Log-Off) for your applications.

Using an iRule is the most flexible approach and will be your last chance if:

  1. You can't change the Logoff buttons of the individual Web-Applications
  2. The Logoff action is triggered by using query-string parameters (e.g. ?logoff=true).
  3. You want to delete some backend session cookies in addition to the APM session cookies.

The required iRule will basically inspect incomming web requests and searches for configured logoff signatures. Once a logoff signature is identified, it will perform a HTTP redirect to APM logoff page where the APM user session will be destroyed.

when HTTP_REQUEST {
    switch -glob -- [HTTP::uri] {    
        "*/somefile.ext?logoff=true" {
            HTTP::respond 307 content "<head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF=\"/vdesk/hangup.php3\">here</a></body>" \
                                noserver \
                                "Content-Type" "text/html" \
                                "Location" "/vdesk/hangup.php3"                             
        }
        "?killsession=true" {
            HTTP::respond 307 content "<head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF=\"/vdesk/hangup.php3\">here</a></body>" \
                                noserver \
                                "Content-Type" "text/html" \
                                "Location" "/vdesk/hangup.php3"
        }
    }
}

Note: You have stated that you use Kerberos authentication for your backend application. In many cases the Kerberos authentication will be used just to retrieve a session cookie for further website access. If security is a concern you may want to clear those cookies during the redirect to APMs logoff page by adding a Set-Cookie parameter and value to the HTTP::redirect command.

...
"Content-Type" "text/html" \                              
"Set-Cookie" "AppAuthCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT;Path=/;Secure;HttpOnly" \
"Location" "/vdesk/hangup.php3"
...  

Note: For some customers I've implemented a APM-session based Cookie-Proxy which intercepts session cookies send by the backend application, stores them into the users APM session and injects them back on server side request, so that the browser does not need to store those sensitive cookies. Let me know if this sounds interesting for you...

Cheers, Kai

0
Comments on this Answer
Comment made 1 month ago by Massimo Rusciano 54

Thanks for your answer!

I just asked SP to configure the logout button using the string https://login.example.com/vdesk/hangup.php3 (login.example.com is the host where my apm VS is configured). When I try to do the logout I receive always the error message "Logout Error: We are unable to log you out. Please contact your administrator for more information." What can I verify in my configuration?

0
Comment made 1 month ago by Kai Wilke 6860

Is this a F5 specific error message? Never saw such an error-text before...

... in addition it would be important to ask if you a.) perform Negotiate/Kerberos from your Client to the F5 VS or b.) if you perform Kerberos Delegation from your F5 to the backend application?

If a.) is the case then you can't perform a log off unless the users closes its browser and/or logs off from his workstation.

Cheers, Kai

0
Comment made 1 month ago by Massimo Rusciano 54

Hi, is the error message provided by the application, not a specific error from F5.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, I performed other test.

Scenario N.1 - Login only on SERVICE-A -

When I do the logout from SERVICE-A the browser was correctly redirected to the url https://SERVICE-A/saml/idp/profile/post/sls

I can see into the APM log the session correctly disconnected: info tmm[18552]: 014d1704:6: /Common/multi_sp.access.profile_v1.3:Common:407a1a3a:SAML SSO: Successfully verified SAML message signature notice tmm[18552]: 01490501:5: /Common/multi_sp.access.profile_v1.3:Common:407a1a3a: Session deleted due to user logout request.

Scenario N.2 - Login on SERVICE-A and SERVICE-B -

When I do the logout from SERVICE-A the browser was correctly redirected to the url https://SERVICE-A/saml/idp/profile/post/sls but after perform a GET on https://SERVICE-B/login I can see into the APM log the session redirected to SERVICE-B with the Assertion.

Any Idea on I can fix the issue?

Thanks to all.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Massimo,

correct me if I'm wrong, but I searched on the whole thread and I didn't find any information about SAML on initial question and following comments.

The answer provided from Kai may not work because of this missing but required information.

So now, Can you provide any informations required to help you troubleshoot.

  • Where is the IdP? on the BigIP?
  • Where are SP? on the BigIP?

when you ask to logout with SLO enabled, the process is the following:

  1. user request an access to Service1 --> redirect to IdP for authentication with assertion
  2. user authenticate on IdP --> redirect to SP Service1 with assertion
  3. user request an access to Service2 --> redirect to IdP for authentication with assertion
  4. user is already authenticated on IdP --> redirect to SP Service1 with assertion
  5. user request a logout on Service2 --> redirect to IdP for logout
  6. user request a logout on IdP --> redirect to Service1 for logout
  7. user request a logout on Service1 --> redirect to IdP to confirm Logout
  8. user request a logout on IdP --> redirect to Service2 to confirm Logout of all SP which used same session
  9. user request a logout on Service2 --> The session on Service2 is closed only when this request is received on APM

If One SLO request fails, the session is not closed on Service2

0
Comments on this Answer
Comment made 4 weeks ago by Massimo Rusciano 54

Hi Stanislas, Thanks for your update, I try to give you the required information. Into my scenario IdP is on my BigIP and I have external SP. The connection is SP initiated. What you write is correct. My issue is on logout procedure. When the user perform logout from Service1 the session should be closed and not redirected to Service2. Let me know if you need other info from my side.

Thanks a lot!

0
Comment made 4 weeks ago by Stanislas Piron 10237

Is service1 or service2 on bigip?

Do you want SP service1 to close IdP session, but not Service2?

0
Comment made 4 weeks ago by Massimo Rusciano 54

I need that when one SP close the session all session (also of all other SP) will be closed.

0
Comment made 4 weeks ago by Stanislas Piron 10237

Did you configure right slo URLs in all SP?

If one fails, slo will not end!

0
Comment made 4 weeks ago by Massimo Rusciano 54

The SLO URL should be the same for all the SP or can be different. If I have only one SP active the logout seems work fine, if I have two SP active when I do the logout from one service the browser is redirected to the second SP. Very strange.

0