APM logon page prompts again when logout from application

Take a look at the Logout URI Include section of the access policy configuration. This setting allows you to specify the application's logout URIs that will trigger an access session deletion.

 

https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12056.html?sr=47284854

 

Thanks Kevin for your response. I tried with URI logout "uri /adfs/ls/?wa=wsignout1.0" but got below error 01070734:3: Configuration error: Configured URI (/adfs/ls/?wa=wsignout1.0) is not allowed to contain query parameter

 

Am I missing anything in the URI syntax..

 

Here's an iRule option to accomplish this:

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] equals "/adfs/ls/?wa=wsignout1.0" } {
        ACCESS::session remove
        HTTP::respond 302 Location "/" "Set-Cookie" "MRHSession=deleted; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT"
    }
}

try this:

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] equals "/adfs/ls/?wa=wsignout1.0" } {
        HTTP::respond 302 Location "/vdesk/hangup.php3" 
    }
}

This irule does not redirect to logon page but to logout page not creating a new session.

Thanks Stanislas. It worked :-) But has one concern. In our configuration currently there are 2 applications enabled SSO. If we signout from O365 first it works perfect that too when if the session is active. But if we signout this O365 secondly it ends with APM logon page and creates an new session as well. The other application signout works perfect in any condition.

 

In Detail:

 

Case 1:

 

When session is active & if we signout from applications in the below sequence;

 

1)O365 - APM logout page. Clears the session

 

2)Application ABC - APM logout page. No new session

 

Case 2:

 

When session is active & if we signout from application in the below sequence;

 

1)Application ABC - APM logout page. Clears the session

 

2)O365 - Signs out from applicatoin but ends with APM logon page. Also creates a new session with 2 mins validity. Case 3:

 

When session expired

 

1)Application ABC - APM logout page.No new session

 

2)O365 - APM Logon page. But no new session.

 

Is it possible to configure APM such that O365 signout always point to APM logout irrespective of session is active or expired?

 

P.S - Due to the formatting limitations in the comment options, I posted this query in the answer space.

 

Hi,

The /vdesk/hangup.php3 URL display logout page even without session. And Logon page is displayed only for new session. you cannot have a logon page without new session.

Are you sure O365 redirect to /adfs/ls/?wa=wsignout1.0 without any other parameters?

try this :

when HTTP_REQUEST {
    if { ([string tolower [HTTP::path]] equals "/adfs/ls/") && ([string tolower [HTTP::query]] contains "wa=wsignout1.0") } {
        HTTP::respond 302 Location "/vdesk/hangup.php3" 
    }
}

PS : everybody reply in answer space for formatting reasons. comment mode is for short comments.

I have a setup where F5 placed as a ADFS proxy.When user clicks on signout in the office 365,it starts a signout process and request has been sent to the ADFS server.I have an issue where APM session is not getting closed.I m using below I rule.Kindly suggest if we have a better solution. when HTTP_RESPONSE {

if {[HTTP::header "Set-Cookie"] contains "MSISSignOut=;"} {

ACCESS::session data set session.user.adfssignout 1

HTTP::close

} }

when CLIENT_CLOSED {

Remove APM session if ADFS sign-out variable exists

if {[ACCESS::session data get session.user.adfssignout] eq 1} { ACCESS::session remove } }