[IdP] [IdP] IDP & IDP mobile issue with ADFS 4 - Logout

Forge Component
(34)
Published on 9 May by Telmo Martins
34 votes
Published on 9 May by Telmo Martins

I having problems with the logout in a Webapp and Mobileapp as well.

The IdP server Single Logout URL setting is https://(MyADFSdomain)/adfs/ls/?wa=wsignout1.0

Let me explain a bit the Web scenario:
When I click on Logout button, the webapp navigates to https://(xxxx.outsystemsenerprise.com)/IdP/Logout.aspx?OriginalURL=/myWebApp/ and then it goes to ADFS Sign out page but, if a click 'back' in the browser or if I paste a webapp url in the addressbar, it seems that it goes back to ADFS (https://(MyADFSdomain)/adfs/ls/?SAMLRequest=xxx) a create a new session with no credentials added and I'm in the app.

The Logout into the Application is using the “IDP Logout”as explained on the Instructions for the “IDP” implementation (image attached).

For some reason, it seems the logout isn't performed on the app and/or the IdP, and it is able to initiate a new session.

Any help would be greatly appreciated.

Best regards,


Emiliano

Hi Emiliano, 

You need to confim the saml messages logs, namely to verify the logout request message (to adfs) and the logout response. Check in that logout response the xml content, namely the status code, if its success or some error. 

Probably whats hapenning is that for some reason/error the logout is not performed in idp server, and when the component redirects to a non anonymous page and redirects to idp server to login, its already logged in and don't asks for credentials (which is not the expected behavior) 

Regards. 

Hi Telmo,

Thanks for your quick response.
I'm fully agreed with all your comments. The worst part is a random behaviour (some times the logout worked, some times not) and I could not find a pattern. Could you help me to find that reason? 

Let me explain the possibilities:

Logout OK: 
I found 3 SAML messages in the browser trace as you can see below: (attached the headers, cookies and messages) 

This messages are also in the IDP console:
Honestly, I don't know why are 3 and not only 3 (request and response), but it works.


Logout NOK:

There is only 1 SAML message instead what I found in the previous case (SAMLRequest also attached)

This message is also logged in the IDP console:

As you can see, I found after the Logout.aspx a "DoSLOLogout.js?xxx" call that is not in the apearing in the bad one. Also the number of SAML messages and a 302 (redirect) in one of the ADFS calls.

This is pretty much all the information that I have and I am sure the ADFS logout is working in some others apps beside different configuration in those relying parties. Any help would be greatful appreciated.

Thanks in advance.

Best regards,

Emi

It seems that I can only attach one file per post so I adding LogoutOK3 which contains the saml2p:LogoutResponse. The key question is why this is not happening everytime that I click in logout.

Thanks again!

Hi Emiliano, 

Ok, that's a situation that I already found in the past. You have configured the wrong Logout URL, ie, that logout URL it's not for saml (probably its for ws-fed protocol), and it seems to ignore the attached saml message, but will try to logout the client, in this case with saml, and that's why you see 3 log entries. If your adsf supports logout inititiated by the SP with saml, then you just need to set the right logout URL for saml, otherwhise you should not logout from your applications through the IdP component. Would say to just redirect the browser to that URL directly from your apps. 


Regards. 

Hi Telmo,

Thanks again for your response.
As far as I know there is only one Logout URLs in ADFS besides the version (https://[MyADFS]/adfs/ls/?wa=wsignout1.0) but as you said, I'm not sure if this is for WS-Federation, SAML 2.0 or both.

The others URLs related to 'Logout' are the SAML Logout Endpoints created in the Relying Party when I've imported the metadata. Those looks like the folowing:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myenv.outsystemsenterprise.com/IdP/SLO.aspx" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myenv.outsystemsenterprise.com/IdP/SLO.aspx" />

Notice that both urls are the same but one is POST and the other Redirect.

If it worked in some cases, so I'd believe the ADFS supported logout initiated from the SP with SAML (not really sure). What I wondering is how should the "./idp/Logout.aspx" works when the logout was initiated? Should it call to "./iDP/SLO.aspx" to create the Logoutrequest first and then the ADFS for the logoutResponse? Is in your opinion any other endpoint involved? When you said " you should not logout from your applications through the IdP component" what do you mean? Changing the module? Is it a real workaround to logout the session? Thanks!

Very sorry to bother with all this questions. This became in a very important pending.

Best regards,

Emi

Hi Emiliano,


If you have the idp server metadafile, you can confirm the ADFS endpoint for single logout there.

The URLs that you posted are the same, you can found two entries there because the IdP component supports those two saml bindings (HTTP GET and HTTP POST).

If you can find in the saml messages log a message of type "LogoutResponse" sent by IdP server, it means that at time at least the ADFS was responding to SAML logout requests initiated by the SP.

The Logout.aspx is called when the logout is initiated by the SP, and it's an "internal" URL unknown to the IdP server. The SLO.aspx it's the endpoint to which the IdP server sends a saml Logout message (can be a LogoutRequest or a LogoutResponse). So in your use case, we didn't expect to see LogoutRequests from IdP server in the log, but they are there which is explained by my last post regarding that's not the correct saml logout URL in ADFS.


If your ADFS version do not supports saml single logout initiated by the SP, then on your end user app, when a user clicks logout you just need to redirect the browser to a URL in ADFS to perform the logout.

Also common workaround for such situations (and that we can see in some other vendors when do not support saml logout) is to logout from your end user app, then redirect the user to an anonymous page (has the downsize that if the user tries to login again it will be already logged in as long as the session is still active on idp server).


Regards