APM: how to gracefully logout from all SSO applications behind BigIP

If you applications can link to /vdesk/hangup.php3 for the sign out process, then your APM session will be terminated.

Hi Nikolay,

The event is ACCESS_SESSION_CLOSED : https://devcentral.f5.com/wiki/iRules.ACCESS_SESSION_CLOSED.ashx

At this point you should use sideband connections to send closure request to your servers: https://devcentral.f5.com/wiki/irules.sideband.ashx, here there are some examples of how to use sideband connection.

Regards

Another option (though not the prettiest or easiest) would be to intercept a request to /vdesk/hangup.php3 (or a response redirect to that page) and present the user with a custom page that uses AJAX calls to request the individual logout pages of the applications, and once completed, redirects the user to the hangup page again with a query parameter or something that would denote it should be intercepted again.

iRule code might start like this:

when HTTP_REQUEST { 
    set hostvar [HTTP::host] 
    set urivar [HTTP::uri] 
} 

when HTTP_RESPONSE { 
    if { [HTTP::header exists Location] && [HTTP::header value Location] equals "/vdesk/hangup.php3" } { 
        HTTP::respond 200 content { 
            Your page here 
        } Cache-Control No-Cache Pragma No-Cache 
    } 
} 

Also, if you're interested in APM event flow, you can check out this article which gives a flowchart of most of the events there.

Thank you very much to all who answered my question (and sorry for not getting back to you sooner!)

Without any further investigations it looks like the approach suggested by Michael Jenkins has the best chances to succeed. AJAX on the client side should be much easier than trying to identify all server-side sessions.

Michael, that flowchart is also very helpful - thanks a lot for the link!

I'm currently dealing with something else but as soon as I get back to this topic (probably in a few weeks time) and work out a suitable solution I will update this post.