SLO responses IdP3.2.x

Cantor, Scott cantor.2 at osu.edu
Thu Dec 1 17:09:29 EST 2016


> The SP is an ADFS implementation,

I didn't mention this, but I believe ADFS has a very serious bug, I think it fails to do the logout on its end before sending the request off, which means if it doesn't get back a success response from the IdP, the logout on that side doesn't happen. That's logout 101, and the IdP cannot guarantee success of course.

I am not prepared to say that is true for certain, but it has been observed by me in working with a couple of different vendors using ADFS now. It could always be an app issue, but it didn't seem to be. And what made it worse was if the IdP accurately reports PartialSuccess, which is the 99% case with logout, ADFS failed.

But that's not connected to what you're asking about.

>  As I said, I can see the IdP responding and I am not
> seeing any logout handling errors. The fact that the user ends up landing on
> the location URL of the SP metadata SLO binding(s) tells me the response is
> not being handled properly at the SP or maybe out at ADFS.

Well, you really shouldn't see that at all, the IdP would be doing that in a hidden iframe. If you see the URL change back to the SP full frame, that means the logout had to have failed at the IdP. I think so anyway. You should be seeing the logout view at the IdP with the list of services and all that.

-- Scott



More information about the users mailing list