+ Start a Discussion

Single Sign on Logout issue

Hi ,

We have implemented Salesforce Single Sign on with Active Directory using SAML 2.0

1. SSO login is successfull.
2. When user log out from salesforce , salesforce session ended however the ADFS session still active .
    User-added image
   When the user clicks Single sign on button again ,salesforce session starts without asking for username and password as ADFS session is still active.

Please help to configure "Identity Provider Logout URL" in SSO settings.
Hi Sudhakar,
   Have you configured the "My Domain" for this org?  The Logout URL will only show up in the SAML 2.0 configuration when using My Domain.

http://www.salesforce.com/us/developer/docs/sso/Content/sso_saml_idp_values.htm (http://www.salesforce.com/us/developer/docs/sso/Content/sso_saml_idp_values.htm" target="_blank)

Identity Provider Logout URL
This field appears in Developer Edition production and sandbox organizations by default and in production organizations only if My Domain is enabled. This field does not appear in trial organizations or sandboxes linked to trial organizations.

Rob Smith
Hi Rob,

Thanks for your response.

YES. We have configured mydomain in our organization. I can see identity provider logout URL in SSO settings.

User-added image
There was no issues with login to salesforce with network username and password.
The issue with sign out.   Salesforce logout does not logout of IDP.

This is a major security issue we are facing.
You should verify that you are using the correct URL from your ADFS instance  for the "Identity Provider Logout URL".
If you are using ADFS you may want to verify that this setting is correctly pointing to your ADFS Sign-Out url.  

See: AD FS: How to Invoke a WS-Federation Sign-Out

The ADFS Sign-out url:   https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0
 We have already used this URL but still failed to singout IDP.
We have contacted Microsoft on this issue and here is the reponse from them.

The Relying Party - Salesforce.com, uses SAMLP instead of WS-Fed. That is, the SAML token issued by ADFS server for access to salesforce.com is in SAMLP format. Under that situation, the logout should in the SAMLP style as well. However, the command https://signin.mediacorp.com.sg/adfs/ls/wa=wsignout1.0 is for WS-Fed only.

To log out in SAMLP style, the RP should instruct the client to POST a samlp:LogoutRequest in SAMLRequest to /adfs/ls/ endpoint of the ADFS server.
Rajiesh GeorgeRajiesh George
Sudhakar, I have the same issue.. I used https://myidp/adfs/ls/?wa=wssignout1.0 which is a WS-Fed logout endpoint.. Also i tried https://myidp/adfs/ls/ which I think is a SAMLP endpoint.. However when I browse https://myidp/adfs/ls/ it returns an error.. Reference number: 334fcbc7-9a07-45bf-bd55-819a011377d0

Would you able to advice me what Microsoft suggest you to take this forward.
Dmitry LipatovDmitry Lipatov
We have the same issue. Did you manage to find solution?
Kurt SchmidtKurt Schmidt
We have the same issue. how was this resolved?
Li ChenLi Chen
Any solution? we are looking same feature:)
Chiru GogulakondaChiru Gogulakonda
I am also facing same issue in my org.i have configured SSO with Azure,i can able to logout from community but when login agian this community it is not aksing user login details.

Could you please any one help me out in this.