Jump to content
Welcome to our new Citrix community!

SAML SP logout


Recommended Posts

Hello all,

 

I feel confused by the SAML authentication flow. I want to configure AAA with SAML SP configuration to protect applications behind the CSVs.  For instance, the application could be zabbix.mydomain.com. IdP is a third party IdP.

I would say (almost) everything is fine. Once the user opens zabbix.mydomain.com, the browser redirects to the redirect URL (saml login URL of the IdP) and the login is successful.

 

But the logout is painful. I use the traffic policy as follows:

-Initiate logout – on

-expression – http.req.url eq to logout URL of the Application

 

When I want to log off, I am redirected to IdP single logout page, and the session is closed on the IdP side. Not on the ADC where the AAA session stays active until I close the browser, i.e. I can access the application again without the need to log in again. I noticed that NSC_TMAS and NSC_TMAA cookies stays valid and are not invalidated.

 

The IdP is configured using the SAML SP metadata, so the configuration is like:

 

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samlsp.mydomain.com/cgi/tmlogout"/>

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samlsp.mydomain.com/cgi/tmlogout"/>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samlsp.mydomain.com/cgi/samlauth" index="0"/>

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samlsp.mydomain.com/cgi/samlauth" index="1"/>

 

Btw, is it also possible to configure IdP initiated SLO?

 

Thank you!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...