There are literally hundreds of questions around this on the Internet.
Among the comments:
- It never worked
- It only works on ADFS 2.0
- It works fine on ADFS 3.0
And further "clarification":
- The wreply string must match the ADFS identifier exactly
- The wreply string must match the ADFS WS-Fed endpoint exactly
- The wreply string must be a sub-URL of the ADFS WS-Fed endpoint
- You need to include wtrealm
And by "exactly", I mean case and all.
Anyway, I needed to get this to work. It took me literally hours but I managed in the end.
So yes, it does work on ADFS 3.0.
My ADFS RP:
which decoded is:
which decoded is:
GET https://my-adfs/adfs/ls/?wa=wsignout1.0&wreply=https://my-pc/my-app.SSO/Home/ HTTP/1.1
which results in:
GET https://my-pc/my-app.SSO/?wa=wsignoutcleanup1.0 HTTP/1.1
and ADFS redirects to:
GET https://my-pc/my-app.SSO/Home/ HTTP/1.1
which is what I wanted.
You will notice that both the identifier and the endpoint are the same. I suspect that the endpoint is the one that counts. In other words, the identifier could be different.
As per ADFS 2.0 does not redirect back to 'reply' url on signout :
"The wreply URL for signout requests must be a sub-URL of the Passive Requestor Endpoint defined for the RP. The reason: Any other rule would make it more difficult for the user to verify if the signout process has completed correctly, thus opening the door for unintentional information disclosure in the 'public library browser' scenario."
What is a sub-URL?
"A sub URL is simply any page on your website other than your home page. For example if we signed up www.clicksubmit.com then we may also decide to add www.clicksubmit.com/seo as a sub URL."
So in my case, the endpoint is:
and the wreply is:
which is a sub-URL.
And this is the URL that ADFS redirects to.
There is also the matter of the "green tick".
Vittorio has this to say in "Programming WIF".
"What sets apart the cleanup from all other actions I’ve described so far is that it might not end with a redirect. If the message contains a wreply, WSFAM dutifully returns a 302 message to the indicated location; if it doesn’t, it will return an image or .gif of a green check mark."
I couldn't get this to happen.
Then I came across this.
"The Endpoints tab can specify several WS-Federation passive trusted URLs. ADFS takes the value from wreply parameter and tries to match it exactly first. Note that the matching is always case sensitive, just like with any other XML comparisons!
If no exact match is found, ADFS tries to match the wreply URI to any other trusted URL which would possibly be a parent path of the URI specified in wreply.
This applies to any matching, either sign-in or sign-out.
In case of sign-out though, the matched trusted URL must also be marked as default in order for the log-out redirection to work."