SharePoint and SAML Single Log Out
I have an APM Policy doing SAML authN client side (APM is the SAML service provider) and Kerberos AuthN server side. All working well there. Dealing with Single Log Out and I want both the APM session cleared as well as the external IdP session so need to do SP initiated Single Log Out over SAML.
Because of RFE ID 440234 where the APM policy does not detect the logout URI when there are various paths before the defined Logout URI, I have the following iRule taking care of detecting and initiating Single Log Out.
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/_layouts/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/signout.aspx" || [string tolower [HTTP::uri]] contains "/_layouts/15/mobile/authn_signout.aspx"} { HTTP::respond 302 Location "/my.logout.php3" } }
This works perfectly and clears both APM Session, as well as takes care of the SAML Single Log out. The only problem is that the user ends up at the F5 Logout page at a URI of: /vdesk/hangup.php3 I Need the user to get sent back to the host name that existed when the above iRule was triggered to log out the user. Similar to how the vdesk/hangup.php3 has a link "To open a new session, please click here" that simply sends the user back to the host name they just logged out from, and in my case starts the SAML Single Sign On flow dropping them as the IdP logon page.
Any creative ideas on how to get the user back to the host name after this type of login?
The desired behavior is what I get when I do NOT use an irule, and leverage the APM Policy "Logout URI include" option, but then I have the issue that any URI that is not at the root host name is not picked up (ID 440234) as a logout request and user is not signed out at all.
Thanks E.R.