Single logout doesn't work for Office 365 with F5 APM as Idp
Single sign-on works perfectly when setup with this guide: https://www.f5.com/pdf/deployment-guides/microsoft-office-365-idp-dg.pdf
We use version 13.1.1.4 of F5 APM in our setup and used the built-in SAML SP object for O365. This object doesn't contain any URL's in the SLO page. Then the Office 365 initiated logout works. But the logout can't be triggered from the webtop on F5
I've found in Microsoft documentation that this is the SAML metadata of Azure AD: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
When using this metadata it points the SLO to https://login.microsoftonline.com/login.srf for request en response with POST binding. When testing single logout it logs out of Office365 but the session on the APM is still there.
When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid."
Anyone who got Office 365 single logout working both Idp and SP initiated?
This sounds like expected behavior.
1.) If it is SP initiated the the user would automatically get redirected back to 0365 with a SAMLResponse and complete SAML login.
Therefore, they should not get a webtop on the BIG-IP as IdP and not be able to click logout.
This would mean that SLO would work as expected from the SP standpoint.
2.) Let's say that SP initiated connection land on a webtop. This means they do not have it setup correctly. SP initiated connections _should_ redirect back to the SP automatically.
If they are presented with a webtop, This means the IdP didn't consume the SAMLRequest and now it will be considered an IdP initiated connection since it was not sent back to the SP.
Now that its IdP initiated, there is no knowledge of the SAMLRequest so the BIG-IP does not know where the user is coming from to trigger SLO when the logout is clicked.
3.) There theoretically should not be a scenario where the user need to logout of the BIG-IP as IdP as the user should not be staying on the IdP any longer than to authentication then get redirected back to O365.
4.) As far as:
'When doing the logout from the F5 webtop (via logout button), Office 365 throws an error: "AADSTS90081: An error occurred when we tried to process a WS-Federation message. The message was invalid.'
This is because there is not a completed SSO session to be removed based off the answers above.