SAML SLO Error

Question

BIGIP is acting SP to an IDP. This IDP is one of our authentication methods to the Webtop.

For instance, if you are logging out with the Logout-button from the webtop a samlrequest is sent to thier SLS, the ticket is destroyed at thier end, but bigip is throwing an error: "Internal error. Failed to process SAML request/response. Please try again or contact your system administrator if error persists."

With uri: /vdesk/my.acl.php3?errorcode=8001

The response is getting back successful from the IDP (as issuer) to Destination="https://<bigipadress>/saml/sp/profile/post/sls" with a succes code:

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

APM-log:

SAML SSO: SLO Response is received on SLO Request URL

SAML SSO: SLO Request not found in SAML message 'SAMLResponse=<base64decoded samlrequest>

SAML SSO: Error (12) in reading SP info from sessionDB

SAML SSO: Abort reason: Error in reading sp info from session db

The samlrequest as it appear in the log is not uri decoded, but if i look at the formdata in chrome everything looks fine.

I've also tried with redirect instead of post, but then i get the error in APM-log:

SAML SSO: SLO Request not found in SAML message ''

A workaround is to clear the SLO settings in the IDP-connector, in this case the APM-session is destroyed but the session from the IDP isnt.

Any suggestions to investigate this futher?

Thanks,

Johan

johan_lång · Accepted Answer

Seems like the IDP didnt understood "ResponseLocation". The Reponse was sent to Location rather than ResponseLocation, this is something BIGIP does default:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/sls" ResponseLocation="https://<bigip>/saml/sp/profile/post/slr">

Temporarily i made an irule that makes an 307 response from /saml/sp/profile/post/sls to /saml/sp/profile/post/slr instead.

Waiting for the IDP to update bigips metadata with only:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<bigip>/saml/sp/profile/post/slr">

Could this cause any trouble?

ironman · Answer

Hi, I am developed same solution and is there any specific format of saml logout request?​

johan_lång · Answer

What do you mean? :) The IDP did not read the "ResponseLocation", instead i had to get rid of that, and only publish the /slr url instead of the /sls

ironman · Answer

HI Johan,&nbsp;we are develping own SAML Solution and  F5 Acting as  IDP here. we not have format of SLO request from SP to IDP, we getting error in F5 Deflate error, not sure it is any encrypted , wewant SLO Request from SP to IDP format, no Sign, no encryption format !&nbsp;we are using below format and it is getting error . it is send from SP to IDP(F5)&nbsp;&lt;samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"ID="ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d"Version="2.0"IssueInstant="2014-07-18T01:13:06Z" Destination="https://F5IDP.COM/saml/idp/profile/redirect/sls"&gt;&nbsp;&nbsp;&nbsp;&lt;saml:Issuer&gt;https://SP.COM/SAML-logout.go&lt;/saml:Issuer&gt;&nbsp;&lt;saml:NameID SPNameQualifier="https://SP.com/SAML-logout.go" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"&gt;ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7&lt;/saml:NameID&gt;&lt;/samlp:LogoutRequest&gt;&nbsp;

legan · Answer

I run into the same issue and I'm not able to resolve this. I have setup APM with Azure AD as a SAML IdP.

All works fine, until I logout. I have created a redirect rule that redirects like this:

when HTTP_REQUEST {

if {[HTTP::uri] starts_with "/saml/sp/profile/post/sls"} {

set new_uri [string map {"/saml/sp/profile/post/sls" "/saml/sp/profile/post/slr"} [HTTP::uri]]

HTTP::respond 307 noserver Location https://[HTTP::host]$new_uri

}

So, this request is redirected:

request: https://VPNbox/saml/sp/profile/post/sls?SAMLResponse=...

location: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

But on this request I receive the same error response page:

request: https://VPNbox/saml/sp/profile/post/slr?SAMLResponse=...

location: /vdesk/my.acl.php3?errorcode=8001

We would lilke to start a pilot, but this is a blocking issue at the moment.

I have also tried setting the logout URL in Azure AD to https://VPNbox/saml/sp/profile/post/slr directly, but that also gives me the redirect to the /vdesk/my.acl.php3?errorcode=8001 URI.

johan_lång · Answer

​What does the APM log says?&nbsp;Was a while ago but there was alot of issues with "reposts" with 307, when it comes to SAML.I would suggest that you manipulate the metadata from your&nbsp;bigip-SP connector&nbsp;and then reimport it into Azure AD. simply remove SLS. and remove the resoponder attribute and Place the slr after location,&nbsp;Like this:&lt;SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://&lt;name.domain.com&gt;/saml/sp/profile/post/slr"&gt; &lt;/SingleLogoutService&gt;&nbsp;Also make sure that you are using the right binding, Edit SAML SP Connector &gt; SLO Service Settings &gt; Single Logout Binding: POST (if you're using post).

Forum Discussion

SAML SLO Error

10 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

SAML SLO Issues

SAML SLO NameQualifier and SPNameQualifier attributes missing

SAML SLO request ignored on iRules

Insufficient permissions BIG-IQ login error

APM Cookbook: SAML IdP Chaining