141
Views
20
Comments
[IdP] SSO ADFS Single LogOut Issues
Question
Forge component by Rui Barbosa
43
Published on 07 Oct 2020

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

Rank: #18491

Issue resolved

Rank: #905

Hi Ferry,

I have encountered same issue. May you share how to solve it?


Rank: #18491

Hi Jessica,


We made the changes to the ADFS Configuration:

  • IDP by default support SHA1 instead of SHA 256. We changed it to SHA 1 in ADFS.
  • Use the default from ADFS instead of using the one with ?wa=wsignout1.0
    • ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout.
  • transform the claims rules for NameID to have the format=unspecified instead of empty


Thanks.

Regards,

Ferry

Rank: #905

Dear Ferry, 

Thank for your response. 

1. SHA-1 has been updated.

2. The default from ADFS logout 

3. May I know where to do "transform the claims rules for NameID to have the format=unspecified instead of empty"? Please advise

Rgds,

Jessica




Rank: #18491

Hi Jessica,


  1. Change the NameID to map with E-mailAddress field from LDAP under your first default rule. 
  2. Add a new Rule and select the option : "Transform an incoming Claim". Set the Incoming Claim Type with E-MailAddress and Outgoing Claim Type: NameID with the format option:UnSpecified.


Best Regards,

Ferry



Rank: #905

Hi Ferry,

May  I have screenshot how to dot it? Sorry, I cannot catch your meaning


Rank: #18491

Hi Jessica,


  • Change the NameID to map with E-mailAddress field from LDAP under your first default rule. 

  • Add a new Rule and select the option : "Transform an incoming Claim". Set the Incoming Claim Type with E-MailAddress and Outgoing Claim Type: NameID with the format option:UnSpecified.



Best Regards,

Ferry

Rank: #905

Thank Ferry. 

As the ADFS is owned by my client, may I update the Idp configuration for nameidentifier to be  email address and then send them the updated metadata xml to import into their ADFS?




Rank: #905

in my logout SAML request, 

NameID seems to be defined as unspecified

Rank: #905

Let me ask my client to configure and check ADFS log event to see any hints.

Any update, I will let you know it

Rank: #905

Hi Ferry,

May you give me a hand? I haven't any idea whether the setting of ADFS to be correct? Please advise.



Rank: #905

Hi Ferry,

I find why to get the 404 error page in SSO since IIS is limited the get querystring in 1024. 

Do you know how to change ADFS to SAMLresponse in POST method? OR how to enlarge IlS setting in Outsystems.






Rank: #905

Hi Joao, 

Thank for your information. May I know what option I should select?


Rank: #4699

Ferry Sanjaya wrote:

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

 Hi Ferry!


I'm also doing a similar integration :)


Like what you have mentioned, ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout. Using the one without the parameters logs the user out perfectly but we experienced an error MSIS7055 on the logout page from the ADFS. Can I check with you if you had experience any of that during your integration?