locked
AD FS - signout not always completing RRS feed

  • Question

  • we have a problem where a users ADFS session doesn't always complete when they log out.
    The SAMLSession cookie is still present in their browser and when accessing the site again they are not prompted for login credentials.

    Usually, when starting a new login, access site, log out sequence the first go-through completes and signs out properly. When repeated their session sticks and they are not prompted to enter their credentials. Closing and restarting the appears to fix it again.

    Tracking the logout with Fiddler shows the complete signout sequence has a get and then post (done with form submitted by javascript), the incomplete sequence just does a get which returns the "You have successfully signed out" page.
    The problem isn't browser specific - it happens in Chrome and IE.

    Complete logout - cookie cleared.

    # Result Protocol Host URL Body Caching Content-Type Process Comments Custom RequestMethod
    3 200 HTTPS sso.viopoc.com /adfs/ls/?wa=wsignout1.0 4,177 text/html; charset=utf-8 iexplore:12380 [#3] GET
    4 200 HTTPS sso.viopoc.com /adfs/ls/?wa=wsignout1.0 6,539 no-cache,no-store; Expires: -1 text/html; charset=utf-8 iexplore:12380 [#4] POST


    Incomplete logout - cookie not cleared

    # Result Protocol Host URL Body Caching Content-Type Process Comments Custom RequestMethod
    2 200 HTTPS sso.viopoc.com /adfs/ls/?wa=wsignout1.0 6,539 no-cache,no-store; Expires: -1 text/html; charset=utf-8 iexplore:12380 [#2] GET

    The  only difference in the 2 /adfs/ls/?wa=wsignout1.0 GET requests is that the incomplete request passes a SamlLogout cookie - with the same value returned in the first go through.

    Is this cookie the cause ? Should my code remove it ?


    John Reidy Sydney, Australia

    Thursday, August 18, 2016 2:02 AM

Answers

  • I found that url is correct, however I found the cuase, I didn't have the authentication  policy settings set for this site:

    1. Under Relying Party Trusts with global authentication settings only, select the same Relying Party Trust record.
    2. Click Properties under the Actions panel at the right side to display the Edit Authentication Policy window.
    3. Check the Users are required to provide credentials each time at sign in option.

    thanks for your assistance.


    John Reidy Sydney, Australia

    Friday, August 26, 2016 6:33 AM

All replies

  • The /adfs/ls/?wa=wsignout1.0 is meant to be a sign-out for WS-Fed relying party trust. If your RP is using SAML as an federation protocol, you ight need to reference a logout end-point at the RP level.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 18, 2016 2:45 AM
  • thanks for your response, we have configured a SAML logout endpoint for at RP - and for all of the ones we have configured.


    logout endpoint

     

    John Reidy Sydney, Australia

    Monday, August 22, 2016 6:54 AM
  • Your URL looks a lot like the ADFS WS-Fed sign-out url though :)

    When you sign out from an application, a POST HTTP message will be sent to the URL you reference here. This endpoint should be on your application. It should be a page or path of your application expecting to receive this HTTP POST message and destroy your session. Contact the owner/dev of your application and ask them to give your the endpoint for the SAML Logout.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, August 22, 2016 1:03 PM
  • I found that url is correct, however I found the cuase, I didn't have the authentication  policy settings set for this site:

    1. Under Relying Party Trusts with global authentication settings only, select the same Relying Party Trust record.
    2. Click Properties under the Actions panel at the right side to display the Edit Authentication Policy window.
    3. Check the Users are required to provide credentials each time at sign in option.

    thanks for your assistance.


    John Reidy Sydney, Australia

    Friday, August 26, 2016 6:33 AM
  • Wait, you mean that the SAML application just get the query string design to sign-out WS-Fed app and is fine with it? Well, that's convenient :)

    Please mark your last message as answer if you think it is was you missed. Thank you for sharing!

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 26, 2016 12:41 PM