Forum Discussion

Dennis_Andrade_'s avatar
Dennis_Andrade_
Icon for Nimbostratus rankNimbostratus
Mar 31, 2015

Removing the SAML assertion from the APM session

Hi all,

 

I have the F5 APM 11.6 configured as the SAML idP. Configured an external SP and the login SSO is working as expected. When the user hits the logout button from the external application, the session and the SAML assertion is not removed from the APM so the user is redirected right back in the external application. Has anybody seen this before? I configured the Single Logout Request URL for the application logout button URL and the Single logout response URL to /vdesk/hangup.php3 from the SP connector but nothing seems to happen.

 

APM
saml
security
slo

4 Replies

Sort By
  • Gianrico's avatar
    Gianrico
    Icon for Employee rankEmployee
    Apr 01, 2015

    You must configure SAML SLO (Single Logout) If your SP does not support it, you must create a solution your own for calling the IDP logout page (vdesk/hangup.php3) upon logout from the sp

     

    • Peter_Baumann's avatar
      Peter_Baumann
      Icon for Cirrostratus rankCirrostratus
      Jun 25, 2015
      Thanks for this! Where can I find this in the manual?? I set this now but SLO still doesn't work, I get the following error: Jun 25 11:33:05 bigip1 warning tmm2[11400]: 014d0002:4: 8d563c55: SSOv2 Unsupported method used for SLO Request Any ideas?
  • Gianrico_D_Ang1's avatar
    Gianrico_D_Ang1
    Historic F5 Account
    Jun 26, 2015

    Hi Peter

     

    APM only supports SAML POST bindings for SLO messages.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/27.htmlunique_1429343938

     

    Your SP is probably using Redirect binding. You have to configure your SP to use POST binding for SLO messages.

     

    Regarding where to find the SLO URI, i could actually not find it in the manual. You should open an ticket and ask for a doc update.

     

    Anyway for reference:

     

    APM as IDP

     

    /saml/idp/profile/post/sls -> Url where the SP sends a logout req to

     

    /saml/idp/profile/post/slr -> Url where an SP should respond to when it receives a logout request

     

    APM as SP

     

    /saml/sp/profile/post/sls -> Url where the IDP sends a logout req to

     

    /saml/sp/profile/post/slr -> Url where an IDP should respond to when it receives a logout request

     

    thanks

     

    gianrico