0

So we have an installation of AD FS 3.0 (Windows Server 2012 R2 role) and a configured relying party. The relying party configuration in AD FS has the appropriate endpoint configured to service logout requests (see attached pics).

enter image description here enter image description here

A client would browse to: https://adfs.dmz.local/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fportal.dmz.local%3a44303%2fLogout&wtrealm=https%3a%2f%2fportal.dmz.local%3a44303%2f

Instead of being redirected back to the relying party (via the wreply parameter), they are instead just left on the AD FS logout page.

Any ideas why AD FS would not be honouring the redirect? Note: whether the "trusted Url" is the same as the one above or not, the redirect doesn't work.

Edit: so I had this misconfigured entirely. The "Example" is incredibly misleading. This needs to be an endpoint implementing logout for SAML. As a result, this question isn't valid.

Rob Sanders
  • 161
  • 2
  • 9

1 Answers1

1

You are mixing things up. You are adding WS-Federation parameters in a SAML Protocol configuration box. That is wrong.

The wreply parameter is another story.

paullem
  • 321
  • 1
  • 3
  • OK, any advice on what SAML parameters should be set? – Rob Sanders Oct 03 '14 at 00:32
  • I do not yet understand the details of what you want. You will have to tell me first what protocol the Relying Party will use. Is it SAML2 or WS-Federation (passive)? For WS-Federation one URL should be enough and a Unique entity ID. For SAML it depends on what the SP/RP has configured. In general you should not do it manually. You should ask the RP/SP for its metadata and configure ADFS with the metadata. Manual configuration is an advanced topic, try not to go there. – paullem Oct 03 '14 at 14:26
  • paullem: so I had misunderstood the configuration. We're dealing with SAML 2.0 only, not WS-Fed. I was going down the wrong path but now I realise where I went wrong. This question isn't a valid one. – Rob Sanders Oct 05 '14 at 10:33