0

I have next components:

  • RP-1 (connected by Ws-Fed, WIF)
  • RP-2 (connected by SAML, Federation Provider, actially it is another ADFS)
  • MY-ADFS (ADFS Server 2019 as primary STS)
  • MY-IP (separate Identity Provider web service, Identity Server 4)

Thus, when I make a sing-out request from RP-1(Ws-Fed), a simple Ws-Fed Logout is formed a request to ADFS:

GET https:/MY-ADFS/adfs/ls/

Next ADFS makes redirect to IP:

GET https://MY-IP/WsFederation

  • wa: wsignout1.0
  • wreply: https://MY-ADFS/adfs/ls/?redirectContextId=2dd581d2-6e02-4476-915b-a581e3c855d4

thus the user clears the session from ADFS and from IP. - as expected.

However, if before the logout, the transition to SAML RP was made and the SAML session became active, then upon exiting ADFS gives an error:

MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.

To fix it, I configured the logout endpoint (URL) in the SAML relying party trust as:

https:/RP-2/adfs/ls/?wa=wsignout1.0

With POST binding. After these changes, the error disappeared. But now ADFS no longer does make Logout redirec to to IP, but instead it does a SAML Logout redirect to RP-2:

POST https://RP-2/adfs/ls/?wa=wsignout1.0

  • SAMLRequest: PHNhbWxwOkxvZ291dFJl

And as a result, Instead of switching to IP, I remain on the RP-2(ADFS also) page where it is written that the exit was successful. However, the user still has an active session (cookies) on the IP side.

Several questions here:

  • It is not clear why ADFS changes the chain of calls with the SAML active session.
  • It is not clear how to exclude SAML Logout redirects, or force ADFS to make Logout to IP also.
nzim
  • 105
  • 2
  • 9

1 Answers1

0

You will have to add the logout URL in the IP (Identity provider) side as well to ensure that the SAML token generated by signing out from the SaaS application through ADFS is forwarded to the Identity provider and is updated for logout at IP authorization provider end. So that, the cookie on the browser will be updated and sign out will be processed smoothly.

Please find the below probable steps to update the logout URL at the Identity Provider end: -

  1. Open the authentication provider workspace.
  2. Find the logout URL.
  3. Update the URL to the ‘https://RP-2/adfs/ls/?wa=wsignout1.0’ same as that configured in ADFS Server.
  4. Save your changes.

And as for your first query why ADFS changes the chain of calls with SAML active session, it is because the cookies and cache must be removed from the system for successful logout request, thus the logout time as recorded when signing out is updated at the SaaS app end and thus, it is recommended to close the browser let it update in the system also.

Thus, recommend you open both the RP trust apps in different browser windows as both are configured for different token providers.

Please refer the below thread for more information: -

How do you handle the logout process for applications federated with ADFS?

Thanking you,

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • Thanks for the answer! But I still don't understend even if I add (is this SAML or fs-fed?) an logout endpoint to the IP (Identity Server 4), who should send a logout request to Identity Provider when the SAML session is active? I have only one IP service so far and all RPs are served by it (through ADFS). And without SAML session, my ADFS formed a ws-fed logout request to the Claim Provider registered in it. With an active SAML session or due to the fact that one of the RPs is another ADFS, now it does not do this. Again, what if I only want to keep ws-fed between ADFS and Identity Server – nzim Aug 11 '21 at 09:56
  • This is a SAML logout URL I am talking about. And the logout request to the Identity provider should be sent by the SAML Authentication Service provider, i.e., ADFS who is brokering the authentication for your configured relying party with Active Directory. If you want only Ws-Fed between ADFS and identity provider, then you need to configure the URL in ADFS for supporting WS-Federation Passive protocol as well configure the relying party WS-federation passive protocol URL as ‘https://abc.xyzportal.com/signin-federation’ and configure the identity provider to support WS-Fed authentication. – Kartik Bhiwapurkar Aug 18 '21 at 15:06
  • I already have WS-Federation Passive between IP and ADFS. And all this worked well with RPs who use the Ws-Fed also. But when SAML RP-s appeared in the system and the SAML session started to be active in the browser ADFS stopped sending WS-Fed sing-out requests to IP when I formed the WS-Fed sing-out request to ADFS (from any RPs). My IP is not supported SAML. Who should form a Ws-Fed sing-out request to IP when the SAML session is active? – nzim Sep 23 '21 at 14:31