Forum Discussion

sravan_64_16558's avatar
sravan_64_16558
Icon for Nimbostratus rankNimbostratus
Aug 12, 2014

SAML Single Logout Issue

Hi,

 

We are trying to implement SAML single logout with BIG IP APM acting as SP and third party Identity Provider. We have configured the sample page in the backend iis webservers.IDP SLO url is hard coded to the logout button. After the user logged into sample application via SAML credentials when clicked on the logout button ,session is not getting killed also We don't see any logout request is generated and sent to IDP. I'm just wondering whether we need to do any configurations apart from giving the Single logout urls in f5 SAML configuration. Also How actually the logout process works with f5.Can anyone help us out on this.

 

Thanks

 

APM
cloud
deployment
management
security

2 Replies

Sort By
  • Gabriel_V_13146's avatar
    Gabriel_V_13146
    Icon for Cirrus rankCirrus
    Aug 25, 2014

    Hello,

     

    You are using F5 as a SP. further you've stated the IDP SLO URL is linked to a button. Therefore I assume you wanted to do the IdP-initiated SLO. it's IdP which should send a logout request to the F5 SP.

     

    If you want the SP initiated SLO (F5 logs out), it's not a simple user request to the SLO URL. Best approach is to use a hangup link ( /vdesk/hangup.php3)

     

    we've set up several environments using F5 APM SAML and here are some things to be aware

     

    • you need to configure SLO url AND SLO Reply URL for the idp-connector, note the F5 APM uses different endpoints for SLO request and SLO reply
    • logout requests must be signed (correct certificates need to be set up)
    • watch the /var/log/apm log file to troubleshoot the SAML processing
    • there's an issue on the F5 it doesn't return the RelayState correctly (depends on the version used) and some IdPs don't like it

    Best regards Gabriel

     

    • Malak_Samir_218's avatar
      Malak_Samir_218
      Icon for Altostratus rankAltostratus
      Apr 03, 2019

      @Gabriel in this particular case, what should the slo reply looks like?