It may seem as AD FS does not honor wreply parameter of wsignout1.0 passive WS-Federation requests. The behavior may look weird still even on Windows 2016 or any older version (ADFS 2.0 or ADFS 3.0 or ADFS 4.0). Here I will define it precisely:
ADFS actually does honor the wreply parameter on wsignout1.0 requests. If you configure AD FS correctly, it will work. The wreply URI must naturally be configured as one of the Trusted URLs on the Endpoints tab of the relying party properties. Just like with any login wreply URI.
Yet there is a specialty. In case of the federated sign-out the wreply request parameter is honored only if it matches a Trusted URL which is set as default URI for the relying party trust. If there is no match among the Trusted URLs or if the matched Trusted URL is not set as default, the user stays on the AD FS own sign-out page.
AD FS and its Trusted URL matching logic
The Endpoints tab can specify several WS-Federation passive trusted URLs. ADFS takes the value from wreply parameter and tries to match it exactly first. Note that the matching is always case sensitive, just like with any other XML comparisons! If no exact match is found, ADFS tries to match the wreply URI to any other trusted URL which would possibly be a parant path of the URI specified in wreply.
This applies to any matching, either sign-in or sign-out. In case of sign-out though, the matched trusted URL must also be marked as default in order for the log-out redirection to work.
Examples
If you have this Endpoints configuration the wreply parameter will not work for the federated sign-out:
wreply |
https://finance.gopas.cz/logout/default.aspx |
|
Trusted URL |
https://finance.gopas.cz/authenticated.aspx |
default |
Trusted URL |
https://finance.gopas.cz/logout/default.aspx |
|
Trusted URL |
https://finance.gopas.cz/logout |
|
Trusted URL |
https://finance.gopas.cz |
|
In order to let the final sign-out redirection happen, you must configure the trusted URL https://finance.gopas.cz/logout/default.aspx as default for the relying party.
If you configured the parent trusted URL https://finance.gopas.cz or the https://finance.gopas.cz/logout as the default, it would not work, becuase of the matching logic. The more specific trusted URL is always matched first (the regex is hungry) and if it is not set as default, the signout redirection does not happen.
Note again that you also must meet the case-sensitivity of the values.