SAML SLO Error
BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.
For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to thier SLS, the ticket is destroyed at thier end, but bigip is throwing an error: "Internal error. Failed to process SAML request/response. Please try again or contact your system administrator if error persists."
With uri: /vdesk/my.acl.php3?errorcode=8001
The response is getting back successful from the IDP (as issuer) to Destination="https://<bigipadress>/saml/sp/profile/post/sls" with a succes code:
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
APM-log:
SAML SSO: SLO Response is received on SLO Request URL
SAML SSO: SLO Request not found in SAML message 'SAMLResponse=<base64decoded samlrequest>
SAML SSO: Error (12) in reading SP info from sessionDB
SAML SSO: Abort reason: Error in reading sp info from session db
The samlrequest as it appear in the log is not uri decoded, but if i look at the formdata in chrome everything looks fine.
I've also tried with redirect instead of post, but then i get the error in APM-log:
SAML SSO: SLO Request not found in SAML message ''
A workaround is to clear the SLO settings in the IDP-connector, in this case the APM-session is destroyed but the session from the IDP isnt.
Any suggestions to investigate this futher?
Thanks,
Johan
Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">
Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.
Waiting for the IDP to update bigips metadata with only:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">
Could this cause any trouble?