This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 42%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWG%3C/text%3E%3C/svg%3E)
Hello,
I have identity provider: ADFS and 2 service providers: app1 and app2
When I log in to app1 I can see that on ad fs site I have cookies:
SamlSession: decoded it contains: issuer name, userId and session index
MSISAuth
MSISAuthenticated
So far so good, when I log out everything is great, after some hidden forms (POST) on ADFS all cookies are cleared and also cookies on my app1 are deleted and everything is fine.
Now when I have a problem:
When I log to app1, Im redirected to adfs, provide credentials, session cookies are created on adfs and on my app1. Great, then I move to app 2, I log in, Im redirected to AD FS but there is already active session so what I can see is that SamlSession cookie on AD FS site is extended (not overwritten) with new information: issuer name, userId and session index for app2
and I'm logged in to app2. Greeat but then when I want to logOut from app1, what I can see is that I'm redirected (by adfs) to app2 logout page, it fails and I can see that on AD FS site I don't have
MSISAuth
MSISAuthenticated
cookies, they were deleted which is ok but I have new cookie called:
samlLogout
From that point I'm not able to logout from app1, each attempt results in failure.
What I would like to achive is that even if Im logged in to few service providers, after logout always ad fs session cookies are deleted and the n I should be redirected to services provider logout page (one from which aI called).
In my case when I log in only to app2 and then log out it also works (logout url is configured correctly for both app1 and app2)
What am I doing wrong here?
Do you have the proper SLO (logout) endpoints referenced in the Relying Party Trust configurations of the two apps? Do you mind sharing what you have there?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 77%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
I think you should check the logout endpoints as suggested above.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 87%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Is your problem solved? I'm having the same problem
The configuration is as follows:
adfs Relying Rarty Trust:
sp1:
SAML Assertion Consumer Endpoints: https://sp1/saml_login(POST Binding)
SAML Logout Endpoints: https://sp1/saml_logout(POST Binding)
sp2:
SAML Assertion Consumer Endpoints: https://sp2/saml_login(POST Binding)
SAML Logout Endpoints: https://sp2/saml_logout(POST Binding)
When I log in to only sp1 or sp2 in a browser, the login and logout are normal. When I log out, the adfs invokes the saml_logout interface and carries the correct SAMLResponse.
When I log in to both sp1 and sp2 in one browser, the login is fine. However, when I exit on sp1, adfs sends Post https://sp2/saml_logout via browser 302 with SAMLRequest parameter. (When I exit on sp2, adfs sends Post https://sp1/saml_logout through the 302 of the browser, carrying the SAMLRequest parameter.)
According to the SAML protocol, the exit URL sent to SP2 does not pass through the browser (5.3.2 SP-Initiated Single Logout with Multiple SPs of https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html).
What are the reasons for this phenomenon?