Configuring SAML sign-out in Active Directory Federation Services (AD FS)

Consider this scenario: you have a SAML2P Software-as-a-Service (SaaS) application, for example Salesforce.com Chatter, configured for Single Sign On (SSO) with Active Directory Federation Services.  This means that your SaaS app is a relying party (RP), or service provider (SP), configured with your AD FS farm as it’s identity provider (IdP).  Inside your AD FS farm the SaaS app is configured as a Relying Party Trust.

SSO is working as expected.  However users report that they get an error such as this one when they choose to sign-out from within the SaaS app.

adfsSamlLogoutGenericErrorImage

That’s a pretty generic error.  In the AD FS event log on the corresponding FS server/node you’ll find a 364 event with the following exception detail:

Microsoft.IdentityServer.Web.RequestFailedException: MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.

And if you peek at your address bar you should see the MSIS7055 error at the end of the URL too.

Inside your SaaS SSO configuration you will define a sign-out URL, e.g.

On the AD FS side you need to configure a SAML logout endpoint on the RP trust for your SaaS app, e.g.

adfsSamlLogoutSamlEndpointDialog

That’s it.  When done you’ll get a proper logout like this:

adfsSamlLogoutGenericSuccessImage

I like to script configuration changes, so here’s something reasonably generic to ascertain the correct logout URL for your AD FS federation service and create the required endpoint given an RP trust name, or partial name:


$rPTrustName = 'Salesforce*Prod' # define this value, everything else remains the same

$sAMLEndpointUrl = "{0}?wa=wsignout1.0" -f (Get-AdfsEndpoint -AddressPath (Get-AdfsProperties).FederationPassiveAddress).FullUrl
$sAMLLogoutEndpoint = New-AdfsSamlEndpoint -Binding POST -Protocol SAMLLogout -Uri $sAMLEndpointUrl
$rPTrust = Get-AdfsRelyingPartyTrust | ? { $_.Name -like "*$rPTrustName*" }
$sAMLEndpoint = $rPTrust | Select -ExpandProperty SamlEndpoints

if($sAMLEndpoint -is [Array])
{
$sAMLEndpoint += $sAMLLogoutEndpoint
}
else
{
$sAMLEndpoint = @( $sAMLEndpoint, $sAMLLogoutEndpoint )
}

$rPTrust | Set-AdfsRelyingPartyTrust -SamlEndpoint $sAMLEndpoint

Hope this helps someone.  Classic Layer-8 on-boarding/configuration issue.

 

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in AD FS, Troubleshooting and tagged , , , , , , . Bookmark the permalink.

4 Responses to Configuring SAML sign-out in Active Directory Federation Services (AD FS)

  1. Sreedhar says:

    Hi Paul,
    Thank you for the post (and all your other “easy-to-read” posts).
    Curiosity – how to force the browser to just stay put on the Signout page, and not get redirected back to the default IdP Signon page?
    For the O365 RP, when the user does the signoff, it goes through the SignOut page (like you mentioned), but then comes back to the default signon page.
    I am sure I am missing something basic in my config.
    -Sreedhar

    • Can you talk me through what you’re seeing in more detail? What app are you using and what do you click and using what client and browser and corpnet or off-corpnet?

      • Sreedhar says:

        Hi Paul,
        In my case, I am using the MS O365 website, using Chrome or Firefox (on Mac and Windows) – I am off-corpnet (but the same behavior comes up for corpnet as well). When I logout of the O365 mailbox view, it signs out my session – with a message “it is good idea to close the browser”, then it redirects me to my ADFS logout page, and then redirects me to the ADFS login page.

      • Have you configured sign-out for urn:federation:MicrosoftOnline? You don’t need to configure anything for Office 365/AAD.

        I just tested. Using Chrome, off the corpnet, I clicked sign-out, I see the “it’s a good idea to close your browser” message from MS Online, then I bounce to my IdP, and bounce back to MS Online “it’s a good idea to close your browser page”. If I look at my cookies or try and access a page I have to sign-in again. So the process has worked. In my case I have not changed any settings relating to logon or logoff for the urn:federation:MicrosoftOnline trust.

        The inspiration for this particular post came from configuring it for Salesforce.com, however it is applicable to any SAML2.0 relying party trust.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s