question

joym8 avatar image
0 Votes"
joym8 asked piaudonn commented

Relying Party SAML logout request not logging out user from their portal

We have an ADFS 4 server and a proxy server, and about 10 relying parties set up for various software vendors.

After importing a new relying party metadata file into ADFS, the relying party properties in ADFS show empty Signature and Encryption tabs.

Sign in works fine.

But relying party is not logging out the user after the user clicks log out. It redirects the user to the successfully signed out page, but if a protected page is accessed after signing out, it lets you in as the previously signed in user.

What can be tried to troubleshoot this issue?

Here is relevant files:

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered piaudonn commented

Looking at the metadata of the application, there isn't a logout endpoint.
You need to reach out to the application's owner/developers and asks them to provide (or implement if not there already) a logout endpoint.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The application developers allow a configurable redirect URL.

Will the logout succeed if that URL is configured to https://<adfs_server>/adfs/ls/?wa=wsignout1.0, or, if a redirect after logout is desired, then https://<adfs_server>/adfs/ls/?wa=wsignout1.0&wreply=https://www.fabrikam.com/

In other words, will the logout succeed if the relying party sends a GET (or POST?) request to the ADFS wsignout1.0 URL? I guess I could test this myself, but just asking if theoretically that's how it's supposed to work.

0 Votes 0 ·

That is not a valid endpoint for SAML log-out. This is a WS-Federation URL. Unless your application is using WS-Federation? The metadata shows an SAML2.0 endpoint type...

The application has to destroy the user's cookies. Only the application can do it. And because the application can be used either in SP-Initiated flow and IDP-initiated flow, you need to make sure that the Relying Party Trust in ADFS has the URL of the endpoint to hit on the application side to destroy the cookies.

0 Votes 0 ·