SAML SLO response data destination modification needed
I have the following requirement to modify the SAML response data in particular the SLO destination. The goal here is to finalize the end user session on both the SP mywebsite, IDP1 and IDP2 (this is a chained setup). With this config the session is being terminated on the IDP1 and IDP2 but still not on the SP, this is because the IDP1 sends the SAML SLO response to IDP1 with the SLO destination being IDP1/logmeout, when resending the POST request via redirect to end user and direct it back to mywebsite it reponds with 400 BAD requests, this is because of the SAML SLO data contains the old IDP/logmeout destination and need to be modified.
The Irule I use, which is working
when ACCESS_ACL_ALLOWED {
if { [HTTP::uri] contains "/logmeout" } {
log local0. "logout requested from IP [IP::client_addr] URI [HTTP::uri] query [HTTP::query]"
ACCESS::session remove
ACCESS::respond 307 Location "HTTPS://myredirectwebsite[HTTP::query]"
}
How can I be able to modify the SAML SLO payload to match the SLO destination of SP mywebsite without having to change the SP metadata of IDP1?
I know in version 14.1 is the new feature ACCESS_SAML_SLO_RESP which would be highly suitable for this, but we use version 13.
https://devcentral.f5.com/wiki/iRules.ACCESS_SAML_SLO_RESP.ashx
The SAML POST DATA is:
https://IDP2/logmeout (this part needs to be modified to the mywebsite destination)
All recommendations are welcome.