I am attempting to configure Single Logout (SLO) for one of my relying party trusts, but am having trouble getting IdP Initiated Logout (using the "Sign out from all the sites you have accessed" option on https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx) to work properly.
Using the SAML Chrome Panel plugin, I can see that the SAML Logout Request is sent to the Service Provider, that the logout is processed and a successful SAML Response is sent back to ADFS.
However, ADFS then displays an error stating "An error occurred. Contact your administrator for more information." Looking at the event log I see the issue is "Microsoft.IdentityServer.Protocols.Saml.SamlSerializationException: MSIS0034: Wrong SAML message type 'Microsoft.IdentityServer.Protocols.Saml.LogoutResponse', expected 'SamlRequest'."
So it seems that "https://adfs.domain.com/adfs/ls" is not the proper URL for the service provider to send the SAML Logout Response. The page is only intended for SAML Requests, not SAML Responses.
Does anyone know the proper ADFS URL that the service provider should be sending the SAML Logout Response to?
I have tried reading through the SAML 2.0 technical specs but don't see anything about IdP Initiated SLO, only SP Initiated SLO.
Additionally, I have scoured Google for this information but have only come up with "https://adfs.domain.com/adfs/ls" (which doesn't work) and "https://adfs.domain.com/adfs/ls/?wa=wsignout1.0" (which is for WS Federation, not SAML, and should not be used in this case).
Thanks in advance!