We are trying to implement SAML logout from a Service Provider/Relying Party to an IdP (in this case, AD FS 3.0). Our logout is not invalidating the session in AD FS. We have narrowed down that the ADFS auth cookies are not being sent in the HTTPS request for some reason, though we have no idea why. This is using HTTPS redirects for the SAML flow.
We have tried to get the request headers the same as the subsequent logon requests which successfully send the cookies, but to no avail.
I have a Fiddler trace that captured multiple logout attempts (and the automatic logins in between). This is in an isolated lab network with dummy data.
Any ideas what we could try to get those cookies sent to the AD FS server on the logout request?
The answer, as found by a colleague, was that the redirect request was an XHR request since it started in JavaScript and was not a ‘normal’ browser redirect. Cookies are only allowed to be included on cross-domain XHR requests if the destination server allows the requester access. So, the fix involved terminating the chain of redirects on the XHR request and doing a normal browser redirect. This allowed the browser to send cookies along with the redirect request to the new site.