locked
ADFS 3 to SAML log outs not working properly RRS feed

  • Question

  • I have seen similar post but the answer does not seem to be working. When users click to logout from the 3rd party sight that uses SAML to authenticate to our ADFS, they get sent back to our ADFS but get an error and are never actually signed out. When they go back even with a new browsing session, it just passes them through without actually having to authenticate. The cookies never seem to expire.

    An error occurred
    An error occurred. Contact your administrator for more information.
    Error details
    • Activity ID: 00000000-0000-0000-180b-0080000000ee
    • Error time: Tue, 18 Jul 2017 16:18:24 GMT
    • Cookie: enabled
    • User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

    I sent our https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0 page to the 3rd party SAML administrator who claims to have made the configuration change. Do I need to make any changes to the Endpoints on the Relaying Party Trust? Right now the SAML Assertion Consumer Endpoints and SAML Logout Endpoints are the default from their metadata. I have no WS-Federation endpoints set.

    Tuesday, July 18, 2017 4:29 PM

All replies

  • The ADFS log out endpoint for SAML SP is: https://{DNS_name_of_RP_STS}/adfs/ls/(without the ?wa ... that's for WS-Fed sign-out)

    That is what you need to tell your service provider.

    BUT on your side, the ADFS configuration, you will need an endpoint for the Relying Party Trust which point to an endpoint hosted by the service provider.

    So if you are the SP admin, you use  https://{DNS_name_of_RP_STS}/adfs/ls/ 

    If you are the admin of ADFS, you use the endpoint provided by the SP in your RPT config. AND NOTHING that points to your ADFS server.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, July 18, 2017 5:09 PM
  • Unfortunately the SP claims to have made the change but we still have the same issue. Same error and then the browser continues to pass through without additional login required.

    On the ADFS servers the SAML Logout EndPoints are set as follows:

    Endpoint Type: SAML Logout

    Binding: Redirect (other option is POST)

    NOT set as the trusted URL default

    Index: 0

    Trusted URL: serviceprovider.com/portal/logout

    Response URL: serviceprovider.com/portal/logout

    Do I need to change anything?

    Friday, July 21, 2017 2:04 PM
  • You can take a Fiddler trace (edit it to remove passwords) and share it here. We can see what's going on at least :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 24, 2017 7:41 PM
  • I did a trace but what part do I need to post? The logout lines at the end? Which tab?
    Tuesday, July 25, 2017 4:55 PM