Forum Discussion

Kai_Wilke's avatar
Apr 13, 2017

APM SP with ADFS Single-Log-Out

Hi Folks,

 

I'd like to ask for working sample configuration to perform a SAML based Single-Log-Out.

 

Scenario:

 

VS_1 
    -> APM Policy with SAML Pre-Auth via multiple ADFS Server(s) 
        -> SharePoint with WS-Federation Auth using the same ADFS Server(s)
VS_2 
    -> APM Policy with 2FA/AD Auth and Kerberos-SSO
        -> ADFS Server for Department 1
VS_N 
    -> APM Policy with 2FA/AD Auth and Kerberos-SSO
        -> ADFS Server for Department N

Problem:

 

If a user initiates a logout on the SharePoint Site, just the APM session for VS_1 gets currently closed. If the user reopens the SharePoint page, the APM SAML authentication will get a fresh authentication from the ADFS Server since the APM session for this service hasn't been closed by the user initiated logout.

 

Goal:

 

Before I start to code an iRule that pulls off the SLO manually, I'd like to explore the possibilities of the build-in SAML SP Single-Sign-Out capabilities. Unfortunately I can't find any useful information how this may work out in conjunction with with APM SAML Pre-Auth, SharePoint and Microsoft ADFS Server behind another 2FA/AD Auth APM Policy.

 

Cheers, Kai

 

  • Hi Kai,

    you can use an irule to search session with the same user session...

    when ACCESS_ACL_ALLOWED {
         if some conditions {
              set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"
              set apm_cookie_list [ ACCESS::uuid getsid $apm_uuid ]
              if {[llength $apm_cookie_list] != 0} {
                   set sid [ lindex $apm_cookie_list 0 ]
                ACCESS::session remove $sid
            }
        }
    }
    
  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    which version are you running? & is there an IdP involved?

     

  • Hi PK,

     

    the SAML SP is v12.1 APM with W2012R2 ADFS as SAML IdP.

     

    Cheers, Kai

     

  • Kai,

    Here is the irule I used to secure ADFS server behind APM... it use SLO detection to close APM session and redirect to SLO reply address.

    when HTTP_REQUEST {
        set keepua 0
         For external Lync client access all external requests to the
         /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI 
         where appropriate
        HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]]
         Analyze the HTTP request and disable access policy enforcement WS-Trust calls 
        if {[HTTP::uri] contains "/adfs/services/trust"} {
            ACCESS::disable
        }
         OPTIONAL ---- To allow publishing of the federation service metadata
        if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} {
            ACCESS::disable 
        }
    }
    
    when ACCESS_ACL_ALLOWED {
         Change user-Agent to Internet Explorer 11 User-Agent
        HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7"
         If authenticated request matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply"
        if { ([string tolower [HTTP::path]] equals "/adfs/ls/") && ([string tolower [URI::query [HTTP::uri] wa]] equals "wsignout1.0") } {
            set redirect_uri [URI::decode [URI::query [HTTP::uri] wreply]]
            ACCESS::session remove
            ACCESS::respond 302 noserver Location $redirect_uri
            return
        }
    }
    
    when ACCESS_SESSION_STARTED {
         If new session matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply"
        set landinguri [ACCESS::session data get session.server.landinguri]
        if { ([string tolower $landinguri] starts_with "/adfs/ls/") && ([string tolower [URI::query $landinguri wa]] equals "wsignout1.0") } {
            set redirect_uri [URI::decode [URI::query $landinguri wreply]]
            ACCESS::respond 302 noserver Location $redirect_uri
            ACCESS::session remove
            return
        } elseif {!([string tolower $landinguri] starts_with "/adfs/")} {
            ACCESS::respond 302 noserver Location "https://portal.office.com"
            ACCESS::session remove
        }
    }
    
    when ACCESS_POLICY_COMPLETED {
        if { ([ACCESS::policy result] equals "deny") } {
            ACCESS::respond 302 noserver Location "https://portal.office.com"
            ACCESS::session remove
        } 
    }
    
  • Hi Kai,

    I am working on a configuration with :

    • ADFS 3.0
    • F5 APM as SAML SP with kerberos SSO

    When I imported ADFS metadata:

    With this configuration, SLO does not work

    I made it work by setting SLO request and response URLs to (made by irule)

    https://idp.company.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fsp.company.com%2f
    

    With this configuration, the requests are:

    after that, session is removed from Access session and next request to SP requires authentication against ADFS (ADFS session was also closed)

    But, when the user access to more than 1 application with ADFS Auth, SLO seems to be disabled in ADFS. ADFS display the "You have successfully signed out." message but session is still active in both ADFS and APM.