ADFS SAML Single Logout

Question

I'm dealing with a web application hooked up to ADFS as a relying party, for single sign on integration with a partner claims provider. It's all via SAML (not WS Federation.) The web app is .NET and using the WIF SAML extension. All this works for SSO.

What doesn't work is single logOUT to the claims provider. My app via the WIF extension properly redirects to https://adfs.example.com/adfs/ls with the SAML logout request, and ADFS in turn redirects back to me at /saml/redirect/sloresponse. That's all good, but what never happens is any redirect upstream to the claims provider (SAML identity provider) to log out from there. The claims provider does publish a SingleLogoutService in its SAML metadata, and it works when the claims provider talks SAML directly to my web app (without ADFS in the middle.)

Questions:

1. Is upstream SAML single logout supported at all in ADFS? Searching online has found me a few cryptic notes that it isn't, but I can't find a definitive source.

2. If not in ADFS 2.0, is it in ADFS 2.1? We could upgrade to Windows 2012 if necessary.

3. If not SAML, can ADFS do this using WSFederation? Would both legs need to be WSFed, both the claims provider trust and the relying party trust?

4. If not possible at all, is there any recommended workaround? Maybe redirect straight to the claims provider and have that push a SAML logout request to ADFS?

Thanks!

Answer 1

A bit late but hope it helps someone. The NameID has a role to play here. Did you see this quote in the "Using AD FS 2.0 as the SAML 2.0 Identity Provider for the Service Provider Sample" readme step 3?

"Note:

· A NameIdentifier claim is not included in the outgoing claim from AD FS by default. This can be added as a Claim transformation rule. This is necessary for logout to perform correctly. "

Was the partner IDP sending a NameID and was your ADFS configured to send a NameID to the RP App? I have configured your very same setup where my IDP and RP STS are both ADFS and this works fine.

Please note the WIF SAML extensions CTP is not supported at this stage. I am assuming this is not a production setup?

Windows Server 2012 AD FS 2.1 is not required for this to work. Although it has some nice extra features coming in the 8.1 server release that might influence your upgrade decisions :)