locked
ADFS 3.0 SAML sign out not working RRS feed

  • Question

  • SSO is working as expected.  However users report that they get an error such as this one when they choose to sign-out from within the app.

    An error occurred

    An error occurred. Contact your administrator for more information.

    Error details

    • Activity ID: 00000000-0000-0000-e100-0080000000bf
    • Error time: Mon, 24 Apr 2017 20:48:36 GMT
    • Cookie: enabled
    • User agent string: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

    Within the Relying Party Trust I have the sign-out URL configured as:

    https://ifs.domain.com/adfs/ls/?wa=wsignout1.0

    Am I missing something for SAML to sign out properly?

    Wednesday, April 26, 2017 2:52 PM

Answers

  • Resolved - the customer did not have the application sign out page URL correct. Changed it to https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0 and it worked.

    Thanks for all the suggestions.

    • Marked as answer by chabango Wednesday, May 17, 2017 12:46 PM
    Wednesday, May 17, 2017 12:46 PM

All replies

  • The endpoint you configure is for WS-Federation Relying Party trust.

    Contact the administrators of your relying party trust and ask them for the Signout URL. They have to provide one if you want to implement SAML signout.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, May 9, 2017 9:30 PM
  • Thanks Pierre.

    Are you referring to the signout URL for the SAML application as opposed to the ADFS server?

    I currently have this configured:

    WS-Federation sign-out URL:

    https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

    Wednesday, May 10, 2017 12:27 AM
  • I had a similar issue with one of my RP. The fix was to ask the RP or Service Provider\Owner to update the Sign-out configuration on SP Side. Obviously, I had to share my Intranet Link, I wanted the users to be redirected to once they click on Sign-out on the SP page.
    • Proposed as answer by ddde4 Tuesday, January 21, 2020 12:16 AM
    Thursday, May 11, 2017 3:55 AM
  • The LogoutRequest from your web app must be signed. 

    I ran into this issue setting up ServiceNow Express, and to fix it I had to change the ServiceNow SSO LogoutRequest to "signed" (it was just a radio box). 

    Good luck!

    Tuesday, May 16, 2017 7:42 PM
  • Hi,

    I will suggest to go through ADFS logs for the activity ID at Logout

    • Activity ID: 00000000-0000-0000-e100-0080000000bf

    this will give you clear picture of what went wrong which forced ADFS to throw error. Using which then probably you can see what & where you need to concentrate on. it may be Application that might be sending wrong Logout request or ADFS not able to recognize it. 


    -Arvind Sindhu Enterprise Arch (Microsoft Technologies) Sapient.

    Wednesday, May 17, 2017 4:58 AM
  • Resolved - the customer did not have the application sign out page URL correct. Changed it to https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0 and it worked.

    Thanks for all the suggestions.

    • Marked as answer by chabango Wednesday, May 17, 2017 12:46 PM
    Wednesday, May 17, 2017 12:46 PM
  • I hate to be the party pooper here but the endpoint you mention is the WS-Fed logout endpoint. The SAML Logout endpoint has to be on the SP. It has to destroy the bootstrap cookie crafted by the SP. Only the SP can do it.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 18, 2017 1:41 PM
  • So was this resolution put into place on the SAML 3rd party side, or on the ADFS side? I sent them our sign out page URL and they claim to have made the change on their end. Do I need to change the SAML Logout Endpoint in the Relaying Party Trust on the ADFS side? It seems like the cookies are not being destroyed and people cannot log out.
    Tuesday, July 18, 2017 4:23 PM
  • This was my issue and this fix worked for me.
    Wednesday, July 24, 2019 5:04 AM