ADFS SAML multiple service provider logout

wgruszczynski@gmail.com 1 Reputation point
2021-05-22T08:02:29.093+00:00

Hello,

I have identity provider: ADFS and 2 service providers: app1 and app2

When I log in to app1 I can see that on ad fs site I have cookies:

SamlSession: decoded it contains: issuer name, userId and session index
MSISAuth
MSISAuthenticated

So far so good, when I log out everything is great, after some hidden forms (POST) on ADFS all cookies are cleared and also cookies on my app1 are deleted and everything is fine.

Now when I have a problem:
When I log to app1, Im redirected to adfs, provide credentials, session cookies are created on adfs and on my app1. Great, then I move to app 2, I log in, Im redirected to AD FS but there is already active session so what I can see is that SamlSession cookie on AD FS site is extended (not overwritten) with new information: issuer name, userId and session index for app2

and I'm logged in to app2. Greeat but then when I want to logOut from app1, what I can see is that I'm redirected (by adfs) to app2 logout page, it fails and I can see that on AD FS site I don't have

MSISAuth
MSISAuthenticated

cookies, they were deleted which is ok but I have new cookie called:

samlLogout

From that point I'm not able to logout from app1, each attempt results in failure.

What I would like to achive is that even if Im logged in to few service providers, after logout always ad fs session cookies are deleted and the n I should be redirected to services provider logout page (one from which aI called).

In my case when I log in only to app2 and then log out it also works (logout url is configured correctly for both app1 and app2)

What am I doing wrong here?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,226 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 国栋 杨 5 Reputation points
    2023-07-17T12:49:24.4433333+00:00

    Is your problem solved? I'm having the same problem

    The configuration is as follows:

    adfs Relying Rarty Trust:

    sp1:

    SAML Assertion Consumer Endpoints: https://sp1/saml_login(POST Binding)

    SAML Logout Endpoints: https://sp1/saml_logout(POST Binding)

    sp2:

    SAML Assertion Consumer Endpoints: https://sp2/saml_login(POST Binding)

    SAML Logout Endpoints: https://sp2/saml_logout(POST Binding)

    When I log in to only sp1 or sp2 in a browser, the login and logout are normal. When I log out, the adfs invokes the saml_logout interface and carries the correct SAMLResponse.

    When I log in to both sp1 and sp2 in one browser, the login is fine. However, when I exit on sp1, adfs sends Post https://sp2/saml_logout via browser 302 with SAMLRequest parameter. (When I exit on sp2, adfs sends Post https://sp1/saml_logout through the 302 of the browser, carrying the SAMLRequest parameter.)

    According to the SAML protocol, the exit URL sent to SP2 does not pass through the browser (5.3.2 SP-Initiated Single Logout with Multiple SPs of https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html).

    What are the reasons for this phenomenon?

    0 comments No comments