Log out with ADFS do not set session expire

[hoainam1989]

Hello,
Could anyone can help me?. Currently i am integrating my app with ADFS on windows server 2016.
When a user call a API to logout on API server. Server redirects to ADFS like below.
-I also pointed the param logoutUrl on setting passport-saml to https://adfsserver.com/adfs/ls/
var samlStrategy = passport._strategy('saml');
samlStrategy.logout(req, function(err, requestUrl) {
//redirect to the IdP with the encrypted SAML logout request
res.redirect(requestUrl);
});
I set up Logout End Point on ADFS to point to https://myapi.com/callback/logout to redirect to my api when user logout successfully on ADFS.

The problem is :
ADFS return to my callback API with status
samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
then i redirect user to login page. but when user login again. they do not redirected to ADFS login page because ADFS did not set cookies expire on session when user logout.So ADFS know that user.

I debug on ADFS log and see error like bellow

1. Exception details:
   System.ArgumentNullException: Value cannot be null.
   Parameter name: collection
   at System.Collections.Generic.List1..ctor(IEnumerable1 collection)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
2. ADFS do not set cookies expire too.

• So currently user can log in the app from ADFS, but they can not logout from ADFS.

[pdspicer]

From the SAML Core spec: "If a SAML responder deems a request to be invalid according to SAML syntax or processing rules, then if it responds, it MUST return a SAML response message with a element with the value urn:oasis:names:tc:SAML:2.0:status:Requester (...)". So it sounds like ADFS does not like your Logout Request.
There are several reasons why this might be the case, would you mind providing a sample LogoutRequest XML generated by your application to provide some more context?

[vijaykotha]

Could anyone help me out. I am able to logout of the application and also the IDP but on logout it is not redirecting to the entry point of the application. Do we need to configure any metadata in the IDP??

This is my SAML strategy object
passport.use(new SamlStrategy(
{
path: config.sso.path,
entryPoint: config.sso.entryPoint,
logoutUrl: config.sso.logoutUrl, // (https://idp.com/applogout)
logoutCallbackUrl: config.sso.logoutCallback, //(/auth/saml/logout/callback)
issuer: config.sso.issuer,
cert: config.sso.cert
},
function (profile, done) {
var user = {};
user.email = profile.Email;
user.saml = {};
user.saml.nameID = profile.nameID;
user.saml.nameIDFormat = profile.nameIDFormat;
return done(null,user);
})
);

These are my routes specific to Logout Functionality
router.get('/logout', function(req, res) {
req.user.nameID = req.user.saml.nameID;
req.user.nameIDFormat = req.user.saml.nameIDFormat;

 samlStrategy.logout(req, function(err, uri) {
	 return res.redirect(uri);
 });

});
router.post('/auth/saml/logout/callback', function(req,res){
req.logout();
res.redirect('/');
});

I am able to logout of the application and also the IDP but on logout it should be redirected to the entry point of the application. Do we need to configure any metadata in the IDP??

[djjody]

Hi All
I have been having a problem with the saml/ws-f logout request and I stumbled upon this post which answered my question. There is a known issue with SAML Logout not working for RPT.

https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/adfs-40-on-windows-server-2016-logout-url-error/074c86d0-285b-409d-9ec5-b9a15d1fba90?auth=1

I hope it is what you are looking for.

[hoainam1989]

Hi All,
I fixed the issue some months ago. I was missing some settings on ADFS server at that time. The Lib is working very well.

[udaykumar21]

@hoainam1989 Can you tell what setting was missing on ADFS server at that time, i'm also facing same issue.
Thanks in advance

[patilmohan91]

@hoainam1989 I am using Windows Server 2012 for ADFS. We have integrated ADFS in Android Application. But we don't know how to logout? What settings we need to do? Also, I think there is no communication happening within API as relying party and ADFS Server. API is just parsing the BEARER and checking expiry time. I tried this by changing some characters from bearer and called the API and I surprised It is working? How? Please help to get rid of this.