Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Single Logout Request URL

We have setup the F5 APM to act as an IdP for Citrix Sharefile and have Single Sign On working. However when we create the IdP SAML and setup the external SP it created Single Logout Request and Response URLs as well. saml/sp/profile/post/sls and saml/sp/profile/post/slr

If we set the logout URL on Sharefile to the saml/sp/profile/post/sls it posts to that URL, but gets a 404 as it doesn't look like the APM is setup to service that url. And it doesn't do anything on the APM side to invalidate the assertion for the user so if they go back to the Sharefile login it uses the previous SAML assertion (sends them to the F5 login page and since that user still has a valid assertion it sends it back to sharefile and logs them in). How do we remove the assertion on clicking logout from Sharefile?

1
Rate this Question
Comments on this Question
Comment made 15-Aug-2018 by Bryan Vance 134

I am interested in the solution for this as well. We just purchased ShareFile and I am researching setting up the DMZ proxy. Is there some config guidance for setting up the SAML IdP for ShareFile?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Using "./my.logout.php3", but it isn't redirecting to the logon page like we would like. Did you ever find anything with this?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

When APM is configured for both IdP and SP, the Single Logout (SLO) URIs (saml/sp/profile/post/sls and saml/sp/profile/post/slr) are expecting a POSTed SAMLRequest and SAMLResponse, respectively. When you click the logout button, a link to /vdesk/hangup.php3 on a SAML-based APM SP VIP, that should generate an auto-post to the sls URI with a SAMLRequest and to the IdP. The IdP responds with an auto-post to the slr URI and a SAMLResponse to the SP. I can't speak specifically for a third-party SP, but it should probably behave the same way. Can you take a packet capture and see if the SP is in fact POSTing a SAMLRequest to the IdP for SLO?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The thing here is that ShareFile doesn't support SLO yet. I wound up writing an iRule yesterday that intercepts a custom URI, kills the APM session, and redirects back to the ShareFile logon page. I just point the ShareFile logout URL to "https://samlVIP/sflogout". This is working perfectly for me.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We found the same issue, but it isn't just that ShareFile doesn't support SLO its the fact that it sends to the logout URL framed which the F5 doesn't allow. We found that in some browsers we weren't actually getting logged out with MarkD's suggestion so we point it at a generic uri "/sharefile-logout" and break out the frame and then kill the session with the following iRule:

when HTTP_REQUEST { if {[HTTP::uri] equals "/sharefile-logout"} { HTTP::respond 200 content "Logging out.. " } }

when ACCESS_ACL_ALLOWED { if {[HTTP::uri] equals "/saml/sp/profile/post/sls/sharefile"} { ACCESS::session remove } }

This worked in all browsers and versions that we tested.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Looks like the html got stripped, surround this in script tags to remove the frame that Sharefile sends over:

window.top.location.href='https://"insert domain here"/vdesk/hangup.php3';

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This was my iRule. I attached this to my SAML VIP. All is well.

when HTTP_REQUEST { if { [HTTP::uri] equals "/sflogout" } { ACCESS::session remove HTTP::redirect "https://ourname.sharefile.com" } }

0
Comments on this Answer
Comment made 17-Nov-2015 by Peter Baumann 411
Just for your information... In v12 the SLO iRule doesn't seem to work anymore.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

F5 APM to act as an IdP ... saml/sp/profile/post/sls

hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls

Gabriel

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

hmm.. looking at my configuation, the SLO URL is: /saml/idp/profile/post/sls

It depends on which one you're looking at. The single logout request URL for the external IdP connector of an APM SP would be /saml/idp/profile/post/sls. The single logout request URL for the external SP connector of an APM SP would be /saml/sp/profile/post/sls.

I think the theme of this post (among other things) was that Citrix ShareFile doesn't support SLO. Ben and MarkD came up with some pretty clever workarounds.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Check your IdP metadata for your IdP Entity ID, it is likely that your URI is not actually /saml but rather something else, try sending a raw SLO request to this entityID and see what response you get, also be very familiar with the documentation found here https://support.f5.com/csp/article/K70726133

0