I'm currently integrated with a client that is using SAML2.0 and ADFS2.0. We are the Service Provider, and they are the Identity Provider.
Everything related to single sign-on works as intended, but single logout behaves strangely sometimes. For single logout, we send a SAML Logout request, and expect a SAML Logout response back to process the logout on our application. This is usually the case, and everything processes correctly.
However, I found an issue where we initiate the logout with a SAML Logout request, but then the ADFS server responds with a Logout request back.
Steps to reproduce:
- SSO into ADFS account #1
- On the same browser tab initiate SSO again with ADFS account #2.
- On the same browser tab, initiate SLO for ADFS account #2.
Looking at SAML Tracer, I found that the logout request that the ADFS server sends back is associated to ADFS account #1. How is this possible? The logout request we send to initiate SLO has details only for ADFS account #2, nothing at all related to account #1.
Is this normal ADFS SLO behavior? To me it doesn't make sense why the ADFS server would respond back to a logout request with a logout request, and on top of that, for a different user. I have not been able to recreate this issue with other IDP's.
Besides this scenario, SLO works completely fine, and will send a logout response to every logout request we send.
This is probably because the buggy implementation of SP initiated SLO. Ideally, IDP should send log out a request to all other SPs sharing sessions but not initiating SP.