locked
Log out URL no longer works in AD FS 4.0 RRS feed

  • Question

  • Hi,

    We've upgraded our AD FS 3.0 server to 4.0 (2012 R2 -> 2016). First we added the new server to the farm, afterwards we made the server primary and removed the 3.0 server. Same goes for the WAP.

    SSO works as expected again, except for our log out URL.

    The settings in the RPs remain the same, but when trying to log out (https://xxxx/adfs/ls/?wa=wsignout1.0), I get an error. In the event viewer, event 364 is logged:

    Encountered error during federation passive request. 
    
    Additional Data 
    
    Protocol Name: 
    wsfed 
    
    Relying Party: 
     
    
    Exception details: 
    System.ArgumentNullException: Value cannot be null.
    Parameter name: collection
       at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.PipelineInitiatedSignout(WrappedHttpListenerContext httpContext, String redirectUri)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    


    Monday, April 10, 2017 8:25 AM

All replies

  • Similar thread that I responded to: https://social.technet.microsoft.com/Forums/en-US/acbf767a-2758-49bc-b3ab-45a8420af780/logout-when-adfs-is-bridge-between-wsfederation-rp-and-saml-claims-provider-external-saml-idp?forum=ADFS

    I have been dealing with the exact same issue for last 24 hrs with workday. We had there

    environments and one of them was working. After many hours of fiddler traces, I figured that there was a space at the end of wsignout1.0 in RP that worked. That URL was configured as logout URL at workday. I thought it did not make sense but I tested it in other environments ( primarily because we tested everything else) and to my shock it worked. Give it a try and post the results here. If it works, I'll assume its a bug in sever 2016

    if spaces are not supported, use: /adfs/ls/?wa=wsignout1.0%C2%A0

    I had raised a MS support ticket and they have confirmed that its a bug in server 2016, not sure when the fix is being released but it is in works.

    Its worth noting that above workaround just fixed the error, you will see logoff successfull message, the cookies are not killed, so if you try to login you will *not* be prompted for credentials.

    Thx

    Pranav


    Monday, April 10, 2017 11:44 AM
  • Hey Pranav,

    Good to know I'm not the only one.

    However, both spaces or %C2%A0 doesn't seem to work around the issue.

    Monday, April 10, 2017 12:54 PM