SAML SLO error

Question

Hey,&nbsp;
We are using APM as a SAML IdP for authenticating smartcard users. Authentication works fine and users are able to use the SAML SP service, but as they try to logout the user is redirected back to the IdP and the browser session dies. The browser seems to stay in the IdP SLO url (/saml/idp/profile/sls) without ever redirecting back to the SP SLO urls.&nbsp;
Firefox states that a secure connection can't be established.&nbsp;
From apm log I can see the following error:&nbsp;
SSOv2 plugin error(18) in sso/saml.c:6276&nbsp;
I tried to find the meaning of the error, but so far I've found nothing for error 18. Any ideas?&nbsp;
We are running version 11.5.1 HF10&nbsp;

lucas_thompson_ · Answer

Before v12.1, if the user's APM session is idled out (usually it will be), then the connection is RST.&nbsp;
The reason it was broken before is that APM has to keep track of all the SPs that have been authenticated in one IdP session and SLO must redirect in a chain to all of the SPs, ending with the one that initiated the request. If the user's session is missing, there is nowhere to lookup this data.&nbsp;
That's fixed in 12.1 now, the caveat is that if there are multiple SPs, APM can't remember them and do the redirect chain back. For most users that's OK, and certainly more desirable than the current behavior of RST'ing the connection.&nbsp;
For older versions, the only way to work around this is to have the idle timer be really long for the session so they don't time out by the time they want to SLO out of the SP session.&nbsp;

sergei_miadzvez · Answer

This does not directly answer your question, but I would recommend trying newer version of BIG-IP, e.g. 12.x. There were significant improvements in SLO after 11.5.1, so you may not experience this error on newer versions.

Forum Discussion

SAML SLO error

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

SAML SLO Error

SAML SLO Issues

SAML SLO NameQualifier and SPNameQualifier attributes missing

SAML SLO request ignored on iRules

Insufficient permissions BIG-IQ login error