I’m using Auth0 as my SP and I’m trying to implement logout from the IDP (ADFS) but it’s not working. I’ve set the logout URL in the SAML connection to the IDP’s signout URL but when I call https://MY_DOMAIN.auth0.com/logout?federated or https://MY_DOMAIN.auth0.com/logout?federated&returnTo=http://RETURN_URL&client_id=CLIENT_ID I’m not logged out of the IDP.
I know it’s not the IDP URL because when I enter it directly I’m logged out so I think Auth0 isn’t using the signout url i’ve set. Any ideas?
I did some tests with a SAML connection pointing to a OneLogin IdP and it worked as expected. Have in mind that the logout endpoint is /v2/logout
and not just /logout
, but that may just be an issue in the question.
You should the network trace in the browser to have a more detailed view of the actual requests being triggered; you should see one to the logout endpoint and then to the IdP logout endpoint; if not, update your question with exact configuration of the SAML connection.
Yea /logout was an error on my part (but looking at the logs it appears that it logs me out too). Anyway. there’s definitely only one request which is the logout request and it redirects me back to my desired page. No other calls or redirects to the idp.
![alt text][1]
Here’s screenshots of my connection
![alt text][2]
![alt text][3]
I did a quick setup of an ADFS server and although I did get an error on logout (due to my hastiness in trying to setup) I did observe a redirect from /v2/logout
to the ADFS signout endpoint. In my case I used https://adfs.example.com/adfs/ls
and did not include the wa
or any query parameter because the request will be a SAML logout and wa
is WS-Federation if I recall correctly. However, that parameter is not issue because you don’t even get a redirect.
Can you capture an HTTP trace (ideally using something other than Chrome which has the nasty habit of omitting response bodies; for example Fiddler) of an authentication transaction followed immediately by a logout request? You can share it only to @auth0.com
emails by password protecting it and sharing the password through the sharelock.io service.
Looks like we needed to tweak the configuration in ADFS. For anyone facing this in the future, I performed the following steps;
- Set the NameID in ADFS (in order to perform federated logout , the NameID is required.
- The signOutEndpoint in the Auth0 SAMP connection should contain https://{youdomain}.adfs.server/adfs/ls/?wa=wsignout1.0