Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch
Ondrej Sevecek's English Pages > Posts > Behavior or ADFS sign-out redirection specified in wreply parameter
June 16
Behavior or ADFS sign-out redirection specified in wreply parameter
by  Ondřej Ševeček  on 16/06/2016 11:32

It may seem as AD FS does not honor wreply parameter of wsignout1.0 passive WS-Federation requests. The behavior may look weird still even on Windows 2016 or any older version (ADFS 2.0 or ADFS 3.0 or ADFS 4.0). Here I will define it precisely:

ADFS actually does honor the wreply parameter on wsignout1.0 requests. If you configure AD FS correctly, it will work. The wreply URI must naturally be configured as one of the Trusted URLs on the Endpoints tab of the relying party properties. Just like with any login wreply URI.

Yet there is a specialty. In case of the federated sign-out the wreply request parameter is honored only if it matches a Trusted URL which is set as default URI for the relying party trust. If there is no match among the Trusted URLs or if the matched Trusted URL is not set as default, the user stays on the AD FS own sign-out page.

AD FS and its Trusted URL matching logic

The Endpoints tab can specify several WS-Federation passive trusted URLs. ADFS takes the value from wreply parameter and tries to match it exactly first. Note that the matching is always case sensitive, just like with any other XML comparisons! If no exact match is found, ADFS tries to match the wreply URI to any other trusted URL which would possibly be a parant path of the URI specified in wreply.

This applies to any matching, either sign-in or sign-out. In case of sign-out though, the matched trusted URL must also be marked as default in order for the log-out redirection to work.

Examples

If you have this Endpoints configuration the wreply parameter will not work for the federated sign-out:

wreply https://finance.gopas.cz/logout/default.aspx  
Trusted URL https://finance.gopas.cz/authenticated.aspx default
Trusted URL https://finance.gopas.cz/logout/default.aspx  
Trusted URL https://finance.gopas.cz/logout  
Trusted URL https://finance.gopas.cz  

 

In order to let the final sign-out redirection happen, you must configure the trusted URL https://finance.gopas.cz/logout/default.aspx as default for the relying party.

If you configured the parent trusted URL https://finance.gopas.cz or the https://finance.gopas.cz/logout as the default, it would not work, becuase of the matching logic. The more specific trusted URL is always matched first (the regex is hungry) and if it is not set as default, the signout redirection does not happen.

Note again that you also must meet the case-sensitivity of the values.

Permanent Link to Post | Email Post Link | Number of Comments 8 Comment(s)

Comments

Thanks

Damn... thanks for this answer, I've been searching for a while now !
 on 08/12/2016 22:13

Option for SAML

Hello, can this option be used for SAML as well or is it only valid for WS-Federation ?
 on 27/02/2017 12:01

Nice find

Thanks a million! Couldn't find this info anywhere.
 on 10/08/2017 10:34

ADFS Cert and name space question

Hello ,

Just to say first that I amazed from your expertise level!
I have a really tricky question :
If I have an internal domain name lets say name1.name2.name3.net
but the external publicly routable domain name is name3.net
Can the federation service name be different than the domain name ?
i.e. can be : adfs.name3.net ? instead of adfs.name1.name2.name3.net
and can the public certificate contain these values :
adfs.name3.net
certauth.adfs.name3.net
enterpriseregistration.name3.net
 on 22/11/2018 14:39

Re: Behavior or ADFS sign-out redirection specified in wreply parameter

yes, the name in ADFS cert can and definitely should be on a public suffic, because you may want to access the ADFS server from outside (probably through the ADFS Proxy called WAP), but still from outside. So you need a publicly fourtable name for the ADFS machine. You must only make sure that the name is accessible both from inside and outside and you are ok. For this purpose, I use internal AD integrated DNS with separate DNS zones with just a single A record - in your case, it would be two zones:
adfs.name3.net
entepriseregistration.name3.net

with the three records in the form of A record.

 on 22/11/2018 15:06

Re : ADFS Cert and name space question

Thank you for your quick reply.
Yes  two WAP servers in the dmz behind load balancer and two ADFS servers internally again behind load balancer.
But why to internal AD integrated zones ?
name3.net will not be enough ?
 on 22/11/2018 22:18

Re: Behavior or ADFS sign-out redirection specified in wreply parameter

If the trusted logout endpoint URL is set as the default, the user is immediately logged off. What am I missing?
 on 22/04/2020 18:06

Re: Behavior or ADFS sign-out redirection specified in wreply parameter

If the trusted logout endpoint URL is set as the default, the user is immediately logged off. What am I missing?
 on 22/04/2020 18:14

Add Comment

Sorry comments are disable due to the constant load of spam *


This simple antispam field seems to work well. Just put here the number.

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Attachments