none
ADFS and Google Apps SSO - Signout URL?

    Question

  • Hi all,  I have ADFS using SAML2 to connect to Google Apps.  It works fine to log in, but whenever I try to log out, I get:

    There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
    Reference number: 57092dfc-751a-4915-8e6a-b4c5d413f8c6

    ----

    And in my event logs I get this:

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          3/10/2011 1:33:47 PM
    Event ID:      362
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          DOMAIN\adfs-service
    Computer:      ADFS01.domain.place
    Description:
    Encountered error during federation passive sign-out.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SingleLogout(Uri returnUrl, Boolean wsFedInitiated)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>362</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-03-10T19:33:47.778221700Z" />
        <EventRecordID>93</EventRecordID>
        <Correlation ActivityID="{57092DFC-751A-4915-8E6A-B4C5D413F8C6}" />
        <Execution ProcessID="2616" ThreadID="1428" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>ADFS01.domain.place</Computer>
        <Security UserID="S-1-5-21-187122647-2057950548-1759684602-3926" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Microsoft.IdentityServer.Web.RequestFailedException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SingleLogout(Uri returnUrl, Boolean wsFedInitiated)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    ----------

    I've tried https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0  as well as   https://myadfsserver.domain.net/adfs/ls

    No success.  Any suggestions?  Also, I'd love to know if anyone got the idp initiated connection to work with Google Apps, but that would just be icing on the cake.  Thanks for any help!

    - Brad
    </form>
    Thursday, March 10, 2011 7:39 PM

Answers

  • Since there hasn't been an official answer to this, I'll reply for future SSO/Googley/ADFS admins...

    The fix is to use the https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0 address within the Google config and setup a matching SAML Logout Endpoint in your RP trust configuration in ADFS.

    Steps:

    1.  Goto the Google apps control panel - advanced tools - setup SSO
    2.  "Sign-out page URL" = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0
    3.  Save changes

    1.  Goto ADFS manager - Trust Relationships - Relying Party Trusts - <your party trust> properties
    2.  Under the Endpoints tab, click Add
    3.  Endpoint Type = SAML Logout, Binding = POST, URL = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0

    You can set a response URL if you want it to redirect to another page but we like the ADFS site since it warns that you are logged off but you should still close your browser. 

    Thursday, March 15, 2012 3:17 PM

All replies

  • Did anyone figure this out or find a workaround? We are having the same issue.
    Friday, June 03, 2011 2:08 PM
  • https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0 is the sign-out address for ADFS. It just sounds like the Google Apps is not signing out. What did you specify for the SAML logout endpoint on your Google Apps relying party?

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Saturday, June 04, 2011 7:07 PM
  • I too have have problem with signout. The url I have at Google SSO is  https://adfsstsurl.mydomain.com/adfs/ls/?wa=wsignoutcleanup1.0 I also tried  https://adfsstsurl.mydomain.com/adfs/ls/  both returns the same error 

    There was a problem accessing the site. Try to browse to the site again.

    Thanks

    Savi


    Monday, June 13, 2011 5:24 PM
  • I think the URL with wa=wsignoutcleanup1.0 is the very last point in the process. This page shows a good example of the sequence of events of signout: http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Monday, June 13, 2011 7:31 PM
  • Hello,

    i suggesst you use the following forum:

    http://social.msdn.microsoft.com/Forums/en-US/geneva/threads/


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, June 14, 2011 5:32 AM
  • It would be nice if a moderator could move this thread for us to the Geneva forum, I agree that forum is a better place for this topic. I am not a moderator in this forum so I do not have this ability.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Tuesday, June 14, 2011 2:05 PM
  • Since there hasn't been an official answer to this, I'll reply for future SSO/Googley/ADFS admins...

    The fix is to use the https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0 address within the Google config and setup a matching SAML Logout Endpoint in your RP trust configuration in ADFS.

    Steps:

    1.  Goto the Google apps control panel - advanced tools - setup SSO
    2.  "Sign-out page URL" = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0
    3.  Save changes

    1.  Goto ADFS manager - Trust Relationships - Relying Party Trusts - <your party trust> properties
    2.  Under the Endpoints tab, click Add
    3.  Endpoint Type = SAML Logout, Binding = POST, URL = https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0

    You can set a response URL if you want it to redirect to another page but we like the ADFS site since it warns that you are logged off but you should still close your browser. 

    Thursday, March 15, 2012 3:17 PM
  • Actually this seems to be more suitable for AD FS forum:

    Please raise the query if ADFS forum for better assistance.

    http://social.msdn.microsoft.com/Forums/en/Geneva/


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, March 15, 2012 6:58 PM
  • This is spot on.. I followed your steps and found that SAML logout logout URL is indeed not specified. Followed the instructions and all issues resolved. 

    Thanks very much.. 

    Sunday, March 25, 2012 3:54 PM
  • Had the same problem exactly.    Looked all over Google Apps support for a resolution but couldn't find anything.  sopplayer solution worked perfectly.   thanks for that.    Question is how can Google be so lame as to not have supplied the answer?
    Monday, June 11, 2012 7:12 PM
  • I have tried sopplayer's instructions which seem to work perfectly.........BUT when I get the ADFS logout confirmation and click on the browser's back or type in the Google Apps Mail-Domain I am still logged into the Google Apps account.  Anyone experiencing this too?  Any solutions?


    Thank you!

    Saturday, August 04, 2012 5:03 PM
  • In stead of using others thread please raise the query if ADFS forum for better assistance.

    http://social.msdn.microsoft.com/Forums/en/Geneva/


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, August 04, 2012 11:16 PM
  • Do you have IWA enabled (default) on your adfs 2.0 server? IWA will keep you signed in, and not prompt you for a password. Clicking sign out of google apps will revoke the google apps cookies, but IWA will keep you authenticated with adfs2.0 server. See this linke about IWA: http://social.technet.microsoft.com/wiki/contents/articles/1600.aspx
    Friday, September 07, 2012 5:53 PM
  • +1 Thanks for sharing Sopplayer! 
    Friday, September 07, 2012 5:53 PM
  • Why not just go to O365?

    Friday, January 17, 2014 8:50 PM
  • I realize that this post is a little old, but I wanted to add a few things on the ADFS configuration side that made this work for me.

    In Server 2012 R2, there are two add option, obviously, you click Add SAML.

    There are also two URL fields.

    The first should be you acs URL. So https://www.google.com/a/your-google-domain/acs or https://your-google-domain/acs, depending on whether you use an alias for you Google for work/education account.

    The second is the logout field, that is the same mentioned previously: https://my-adfs-server.my-domain.blah/adfs/ls/?wa=wssignout1.0

    These small details worked for me.

    Monday, August 10, 2015 3:43 PM