[IdP] SSO ADFS Single LogOut Issues

Forge Component
(43)
Published on 5 Jun by Leonardo Fernandes
43 votes
Published on 5 Jun by Leonardo Fernandes

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

Issue resolved

Hi Ferry,

I have encountered same issue. May you share how to solve it?


Hi Jessica,


We made the changes to the ADFS Configuration:

  • IDP by default support SHA1 instead of SHA 256. We changed it to SHA 1 in ADFS.
  • Use the default from ADFS instead of using the one with ?wa=wsignout1.0
    • ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout.
  • transform the claims rules for NameID to have the format=unspecified instead of empty


Thanks.

Regards,

Ferry

Dear Ferry, 

Thank for your response. 

1. SHA-1 has been updated.

2. The default from ADFS logout 

3. May I know where to do "transform the claims rules for NameID to have the format=unspecified instead of empty"? Please advise

Rgds,

Jessica




Hi Jessica,


  1. Change the NameID to map with E-mailAddress field from LDAP under your first default rule. 
  2. Add a new Rule and select the option : "Transform an incoming Claim". Set the Incoming Claim Type with E-MailAddress and Outgoing Claim Type: NameID with the format option:UnSpecified.


Best Regards,

Ferry



Hi Ferry,

May  I have screenshot how to dot it? Sorry, I cannot catch your meaning


Hi Jessica,


  • Change the NameID to map with E-mailAddress field from LDAP under your first default rule. 

  • Add a new Rule and select the option : "Transform an incoming Claim". Set the Incoming Claim Type with E-MailAddress and Outgoing Claim Type: NameID with the format option:UnSpecified.



Best Regards,

Ferry

Thank Ferry. 

As the ADFS is owned by my client, may I update the Idp configuration for nameidentifier to be  email address and then send them the updated metadata xml to import into their ADFS?




in my logout SAML request, 

NameID seems to be defined as unspecified

Jessica Lee wrote:

Thank Ferry. 

As the ADFS is owned by my client, may I update the Idp configuration for nameidentifier to be  email address and then send them the updated metadata xml to import into their ADFS?





Hi Jessica,


I am not sure whether it works, you can try and monitor the Message Log and if possible ADFS log from ADFS Server. For ours, it was due to the misconfig in ADFS rather than IDP side issue.


Best Regards,

Ferry

Jessica Lee wrote:

in my logout SAML request, 

NameID seems to be defined as unspecified

Our previous issue was also due to NameID format not matching(error found on the ADFS server's event log) upon sending the request that is why we have transform claim. As of now did you test? is it working?


Best Regards,

Ferry


Let me ask my client to configure and check ADFS log event to see any hints.

Any update, I will let you know it

Hi Ferry,

May you give me a hand? I haven't any idea whether the setting of ADFS to be correct? Please advise.



Jessica Lee wrote:

Hi Ferry,

May you give me a hand? I haven't any idea whether the setting of ADFS to be correct? Please advise.



Hi Jessica,


You might want to look into this URL on further information of setting the Relying Party claim rules:

https://docs.servicenow.com/bundle/orlando-platform-administration/page/integrate/saml/task/t_ConfigureADFSClaimRules.html


It is not under properties "Accepted Claim" of relying party. when right click on the relying party, instead of choosing properties, choose: Edit Claim Rules. you need to configure tour claim rules under edit claim rules.


Thanks.

Regards,

Ferry


Hi Ferry,

I find why to get the 404 error page in SSO since IIS is limited the get querystring in 1024. 

Do you know how to change ADFS to SAMLresponse in POST method? OR how to enlarge IlS setting in Outsystems.






Jessica Lee wrote:

Hi Ferry,

I find why to get the 404 error page in SSO since IIS is limited the get querystring in 1024. 

Do you know how to change ADFS to SAMLresponse in POST method? OR how to enlarge IlS setting in Outsystems.

Hi Jessica, I've encountered that error recently as well. In order to increase the max query string in Outsystems, you can use the Factory Configuration component to create a shared configuration and apply it to the IdP module.

You can find below the shared configuration template:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" 
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:output method="xml" indent="yes" encoding="UTF-8"/>
    <xsl:template match="@*|node()">
        <xsl:copy>
            <xsl:apply-templates select="@*|node()"/>
        </xsl:copy>
    </xsl:template>
    <xsl:template match="/configuration/system.webServer/security/requestFiltering">
        <xsl:copy>
            <xsl:apply-templates select="@*|node()"/>
            <requestLimits maxUrl="3000" maxQueryString="3000"/>
        </xsl:copy>
    </xsl:template>
</xsl:stylesheet>

On the example, I'm using 3000 chars for the maxURL and 3000 for the QueryString. Feel free to adjust as per your requirements.

Regards,

Hi Joao, 

Thank for your information. May I know what option I should select?


Jessica Lee wrote:

Hi Joao, 

Thank for your information. May I know what option I should select?


Hi Jessica, you should use the default web.config_XLS.

The first dropdown is only used to select one of the pre-made samples that call pre-fill the configuration if you press the fill button.

Regards,



Ferry Sanjaya wrote:

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

 Hi Ferry!


I'm also doing a similar integration :)


Like what you have mentioned, ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout. Using the one without the parameters logs the user out perfectly but we experienced an error MSIS7055 on the logout page from the ADFS. Can I check with you if you had experience any of that during your integration?


 

Xue Li wrote:

Ferry Sanjaya wrote:

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

 Hi Ferry!


I'm also doing a similar integration :)


Like what you have mentioned, ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout. Using the one without the parameters logs the user out perfectly but we experienced an error MSIS7055 on the logout page from the ADFS. Can I check with you if you had experience any of that during your integration?


 

Hi Xueli,


Is your setup connecting to Azure ADFS or Windows Server 2016?

Will you be able to extract more information from ADFS server log for the actual error and also IDP's Transaction Log error for logout?


Regards,

Ferry