SP initiated Single Logout receives a SAML logout request from ADFS IDP instead of SAML Logout Response

Question

I'm currently integrated with a client that is using SAML2.0 and ADFS2.0. We are the Service Provider, and they are the Identity Provider.

Everything related to single sign-on works as intended, but single logout behaves strangely sometimes. For single logout, we send a SAML Logout request, and expect a SAML Logout response back to process the logout on our application. This is usually the case, and everything processes correctly.

However, I found an issue where we initiate the logout with a SAML Logout request, but then the ADFS server responds with a Logout request back.

Steps to reproduce:

1. SSO into ADFS account #1
2. On the same browser tab initiate SSO again with ADFS account #2.
3. On the same browser tab, initiate SLO for ADFS account #2.

Looking at SAML Tracer, I found that the logout request that the ADFS server sends back is associated to ADFS account #1. How is this possible? The logout request we send to initiate SLO has details only for ADFS account #2, nothing at all related to account #1.

Is this normal ADFS SLO behavior? To me it doesn't make sense why the ADFS server would respond back to a logout request with a logout request, and on top of that, for a different user. I have not been able to recreate this issue with other IDP's.

Besides this scenario, SLO works completely fine, and will send a logout response to every logout request we send.

Answer 1

This is probably because the buggy implementation of SP initiated SLO. Ideally, IDP should send log out a request to all other SPs sharing sessions but not initiating SP.

Answer 2

In ADFS, SLO generally means log out of everything that you are signed into.

Good diagram describing this.