Office 365 ADFS "single sign out" irule doubt

Question

Hello,
I have been struggling lately with an APM deployment as an authentication point for ADFS proxy. My point is to just delegate the Office 365 authentication over the apm, which once you are authenticated will perform SSO against the real ADFS proxy and then Office 365. So far everything is working, except the Sign out sequence. If i execute the sign out sequence Office 365 and then adfs will Log me out properly, but i will stay at ADFS login page (instead of APM page) because APM is not "able" (I know that is capable, that's my problems) to "kill" the session once it get the SIGNOUT cookie from the ADFS.
As explain in this post https://devcentral.f5.com/articles/big-ip-and-adfs-part-4-what-about-single-sign-out, adfs once logout will invalidate the session token and you will be redirected to the logon page of ADFS.
I have followed the irule proposed there but so far my APM is unable to terminate the session. After adding a couple of "log local" entries in the irule i can see in the log that theoretically the is been executed.
I have also been thinking on delete the session via irule using 
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "/adfs/ls/?wa=wsignout" } 
{
ACCESS::session remove
}
}
But that event is not related to APM access:session (i have to admit that am not used to irules), so this way is discarded.
This is the irule that i initially used (the official one from the previously indicated post)
 when HTTP_RESPONSE {
 Review serverside responses for reset of WS-Federation sign-out cookie - MSISSignOut.

If found assign ADFS sign-out session variable and close HTTP connection

if {[HTTP::header "Set-Cookie"] contains "MSISSignOut=;"} {

ACCESS::session data set session.user.adfssignout 1

HTTP::close

}

}
when CLIENT_CLOSED {
  Remove APM session if ADFS sign-out variable exists

if {[ACCESS::session data get session.user.adfssignout] eq 1} {
     ACCESS::session remove
 }

}
 Also, i am afraid that once the APM kills the session the user won't be redirected to the APM login page and will stay in the adfs login (it won't work because apm session is expired but the user will be shown this site and when the put their credentials they will be redirected again to the APM login page)
Any idea about this? Can anybody help me? I know that Office 365 is fairly common so i think that i am not the only one with this problem.
Thanks in advanced for any assistance

arunthomas_2014 · Answer

Dear Javier,
This would work.&nbsp;
when HTTP_REQUEST {
set logoutrequest 0
  if {[HTTP::uri] contains "/adfs/ls/?wa=wsignout1.0"} {
      log local0. "ADFS Signout Requested"
      set logoutrequest 1
  }
}&nbsp;
when HTTP_RESPONSE {
  if {$logoutrequest == 1} {
      log local0. "Terminate APM Session now"
      ACCESS::session remove
  }
}&nbsp;

Forum Discussion

Office 365 ADFS "single sign out" irule doubt

1 Reply

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Office 365 Tenant Restrictions

SSL VPN Split Tunneling and Office 365

Rewrite single cookie "USERCOOKIE" domain if cookie domain is "www1.test,example.com"

SSL VPN Tunnel and Office 365

APM start two session for Office App