[IdP] SSO ADFS Single LogOut Issues
Question
Forge component by Rui Barbosa

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

Issue resolved

Hi Ferry,

I have encountered same issue. May you share how to solve it?


Hi Jessica,


We made the changes to the ADFS Configuration:

  • IDP by default support SHA1 instead of SHA 256. We changed it to SHA 1 in ADFS.
  • Use the default from ADFS instead of using the one with ?wa=wsignout1.0
    • ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout.
  • transform the claims rules for NameID to have the format=unspecified instead of empty


Thanks.

Regards,

Ferry

Dear Ferry, 

Thank for your response. 

1. SHA-1 has been updated.

2. The default from ADFS logout 

3. May I know where to do "transform the claims rules for NameID to have the format=unspecified instead of empty"? Please advise

Rgds,

Jessica




Hi Jessica,


  1. Change the NameID to map with E-mailAddress field from LDAP under your first default rule. 
  2. Add a new Rule and select the option : "Transform an incoming Claim". Set the Incoming Claim Type with E-MailAddress and Outgoing Claim Type: NameID with the format option:UnSpecified.


Best Regards,

Ferry



Hi Ferry,

May  I have screenshot how to dot it? Sorry, I cannot catch your meaning


Hi Jessica,


  • Change the NameID to map with E-mailAddress field from LDAP under your first default rule. 

  • Add a new Rule and select the option : "Transform an incoming Claim". Set the Incoming Claim Type with E-MailAddress and Outgoing Claim Type: NameID with the format option:UnSpecified.



Best Regards,

Ferry

Thank Ferry. 

As the ADFS is owned by my client, may I update the Idp configuration for nameidentifier to be  email address and then send them the updated metadata xml to import into their ADFS?




Jessica Lee wrote:

Thank Ferry. 

As the ADFS is owned by my client, may I update the Idp configuration for nameidentifier to be  email address and then send them the updated metadata xml to import into their ADFS?





Hi Jessica,


I am not sure whether it works, you can try and monitor the Message Log and if possible ADFS log from ADFS Server. For ours, it was due to the misconfig in ADFS rather than IDP side issue.


Best Regards,

Ferry

in my logout SAML request, 

NameID seems to be defined as unspecified

Jessica Lee wrote:

in my logout SAML request, 

NameID seems to be defined as unspecified

Our previous issue was also due to NameID format not matching(error found on the ADFS server's event log) upon sending the request that is why we have transform claim. As of now did you test? is it working?


Best Regards,

Ferry


Let me ask my client to configure and check ADFS log event to see any hints.

Any update, I will let you know it

Hi Ferry,

May you give me a hand? I haven't any idea whether the setting of ADFS to be correct? Please advise.



Jessica Lee wrote:

Hi Ferry,

May you give me a hand? I haven't any idea whether the setting of ADFS to be correct? Please advise.



Hi Jessica,


You might want to look into this URL on further information of setting the Relying Party claim rules:

https://docs.servicenow.com/bundle/orlando-platform-administration/page/integrate/saml/task/t_ConfigureADFSClaimRules.html


It is not under properties "Accepted Claim" of relying party. when right click on the relying party, instead of choosing properties, choose: Edit Claim Rules. you need to configure tour claim rules under edit claim rules.


Thanks.

Regards,

Ferry


Hi Ferry,

I find why to get the 404 error page in SSO since IIS is limited the get querystring in 1024. 

Do you know how to change ADFS to SAMLresponse in POST method? OR how to enlarge IlS setting in Outsystems.






Jessica Lee wrote:

Hi Ferry,

I find why to get the 404 error page in SSO since IIS is limited the get querystring in 1024. 

Do you know how to change ADFS to SAMLresponse in POST method? OR how to enlarge IlS setting in Outsystems.

Hi Jessica, I've encountered that error recently as well. In order to increase the max query string in Outsystems, you can use the Factory Configuration component to create a shared configuration and apply it to the IdP module.

You can find below the shared configuration template:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" 
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:output method="xml" indent="yes" encoding="UTF-8"/>
    <xsl:template match="@*|node()">
        <xsl:copy>
            <xsl:apply-templates select="@*|node()"/>
        </xsl:copy>
    </xsl:template>
    <xsl:template match="/configuration/system.webServer/security/requestFiltering">
        <xsl:copy>
            <xsl:apply-templates select="@*|node()"/>
            <requestLimits maxUrl="3000" maxQueryString="3000"/>
        </xsl:copy>
    </xsl:template>
</xsl:stylesheet>

On the example, I'm using 3000 chars for the maxURL and 3000 for the QueryString. Feel free to adjust as per your requirements.

Regards,

Hi Joao, 

Thank for your information. May I know what option I should select?


Jessica Lee wrote:

Hi Joao, 

Thank for your information. May I know what option I should select?


Hi Jessica, you should use the default web.config_XLS.

The first dropdown is only used to select one of the pre-made samples that call pre-fill the configuration if you press the fill button.

Regards,



Ferry Sanjaya wrote:

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

 Hi Ferry!


I'm also doing a similar integration :)


Like what you have mentioned, ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout. Using the one without the parameters logs the user out perfectly but we experienced an error MSIS7055 on the logout page from the ADFS. Can I check with you if you had experience any of that during your integration?


 

Xue Li wrote:

Ferry Sanjaya wrote:

Hi,


I have problem with SLO. Here are the issues:

- On first incognito mode tried to login, it will call DoSLOLogout and SamlSLO to logout. however, for subsequent tried to login and logout again, it will not call SamlSLO. It will either redirect to ADFS logout screen(with outsystems session still active) -- [HTTP POST] or stuck with 404 error in DoSLOLogout screen -- [HTTP Redirect].

- For Single logout, it never redirect to my login screen/adfslogin screen again.


** we are using Windows server 2016 and adfs v2.0(not azure adfs).

Thanks.


Regards,

Ferry

 Hi Ferry!


I'm also doing a similar integration :)


Like what you have mentioned, ?wa=wsignout1.0 url does not auto clear cookies on logout, so session still exist when logout. Using the one without the parameters logs the user out perfectly but we experienced an error MSIS7055 on the logout page from the ADFS. Can I check with you if you had experience any of that during your integration?


 

Hi Xueli,


Is your setup connecting to Azure ADFS or Windows Server 2016?

Will you be able to extract more information from ADFS server log for the actual error and also IDP's Transaction Log error for logout?


Regards,

Ferry


Hi Xue,

May you share how to solve "we experienced an error MSIS7055 on the logout page from the ADFS " issue?

Thank in advance

Jessica

Hello Ferry Sanjaya and Jessica Lee,

I am kind of having similar issue on logout. 

Tried both the things 

* Changed to SHA-1

* Transform claim rules to have format-unspecied. 



Still Getting the below error  on ADFS on logout:


The SAML Single Logout request does not correspond to the logged-in session participant. 

Requestor: http://xxx-tst.outsystemsenterprise.com/IdP 

Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, NameQualifier:  SPNameQualifier: , SPProvidedId:  

Logged-in session participants: 

Count: 1, [Issuer: http://xxx-tst.outsystemsenterprise.com/IdP, NameID: (Format: , NameQualifier:  SPNameQualifier: , SPProvidedId: )]  


This request failed. 


User Action 

Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.



I know my Claim transformation has issues, not sure what is the right one?


There was NameId claim mismatch with the format and ADFS logout requests were failing. In case anyone else having similar issue, In my instance EmployeeID was our NameId


1. I needed to set the encryption to SHA-1


2. Create a rule to send LDAP as Claims with all necessary attributes except for NameID as it requires transformation.


3. Since  we were using EmployeeId as Name ID and since employeeId was not available in "Transform an incoming claim rule", I had to create custom rule. 


4. 2 Custom rules were created :

Extract

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

 => add(store = "Active Directory", types = ("NAMEID"), query = ";employeeID;{0}", param = c.Value);


Transform: 

c:[Type == "NAMEID"]

 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")


5. Set the IDP logout URL to the default one without ?wa=signout1.0


The logout started working after performing the above steps. 


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.