Thursday, March 03, 2016

ADFS : wreply does not redirect after WS-Fed signout

This is with Active Directory Federation services 3.0.

There are literally hundreds of questions around this on the Internet.

Among the comments:
  • It never worked
  • It only works on ADFS 2.0
  • It works fine on ADFS 3.0
and so on.

And further "clarification":
  • The wreply string must match the ADFS identifier exactly 
  • The wreply string must match the ADFS WS-Fed endpoint exactly 
  • The wreply string must be a sub-URL of  the ADFS WS-Fed endpoint  
  • You need to include wtrealm
and so on.

And by "exactly", I mean case and all.

Anyway, I needed to get this to work. It took me literally hours but I managed in the end.

So yes, it does work on ADFS 3.0.

My ADFS RP:

The identifier:

https://my-pc/my-app.SSO/

The endpoint:

https://my-pc/my-app.SSO/

WS-Fed signin:

GET https://my-adfs/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy-pc
%2fmy-app.SSO%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fmy-app.SSO

%252f&wct=2016-03-02T18%3a35%3a52Z HTTP/1.1 

which decoded is:

GET https://my-adfs/adfs/ls/?wa=wsignin1.0&wtrealm=https://my-pc/my-app.SSO/
&wctx=rm=0&id=passive&ru=/my-app.SSO/&wct=2016-03-02T18:35:52Z HTTP/1.1

WS-Fed signout:

GET https://my-adfs/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fmy-pc
%2fmy-app.SSO%2fHome%2f HTTP/1.1 

which decoded is:

GET https://my-adfs/adfs/ls/?wa=wsignout1.0&wreply=https://my-pc/my-app.SSO/Home/ HTTP/1.1

which results in:

GET https://my-pc/my-app.SSO/?wa=wsignoutcleanup1.0 HTTP/1.1 

and ADFS redirects to:

GET https://my-pc/my-app.SSO/Home/ HTTP/1.1

which is what I wanted.

You will notice that both the identifier and the endpoint are the same. I suspect that the endpoint is the one that counts. In other words, the identifier could be different.

As per ADFS 2.0 does not redirect back to 'reply' url on signout :

"The wreply URL for signout requests must be a sub-URL of the Passive Requestor Endpoint defined for the RP. The reason: Any other rule would make it more difficult for the user to verify if the signout process has completed correctly, thus opening the door for unintentional information disclosure in the 'public library browser' scenario."

What is a sub-URL?

"A sub URL is simply any page on your website other than your home page. For example if we signed up www.clicksubmit.com then we may also decide to add www.clicksubmit.com/seo as a sub URL."

So in my case, the endpoint is:

https://my-pc/my-app.SSO/

and the wreply is:

https://my-pc/my-app.SSO/Home/
 
which is a sub-URL.

And this is the URL that ADFS redirects to.

Aside

There is also the matter of the "green tick".

Vittorio has this to say in "Programming WIF".

"What sets apart the cleanup from all other actions I’ve described so far is that it might not end with a redirect. If the message contains a wreply, WSFAM dutifully returns a 302 message to the indicated location; if it doesn’t, it will return an image or .gif of a green check mark."

I couldn't get this to happen.

Update

Then I came across this.

"The Endpoints tab can specify several WS-Federation passive trusted URLs. ADFS takes the value from wreply parameter and tries to match it exactly first. Note that the matching is always case sensitive, just like with any other XML comparisons!

If no exact match is found, ADFS tries to match the wreply URI to any other trusted URL which would possibly be a parent path of the URI specified in wreply.

This applies to any matching, either sign-in or sign-out.

In case of sign-out though, the matched trusted URL must also be marked as default in order for the log-out redirection to work."

Enjoy!

3 comments:

Anonymous said...

Awesome summary! ADFS configuration screenshots would be really helpful. Thanks!

Unknown said...

Great post but I cannot get this to work in ADFS 3.0. It simply sits on the ADFS logged out age. It will NOT forward to the redirect landing page. Any ideas? URL string looks like below
/adfs/ls?wa=wsignout1.0&wreply=https%3a%2f%2b1d1-wshpwb01.fqdn%2flogout%2fSitePages%2fHome.aspx

Unknown said...

I noticed the following when multiple WS-Federation Passive Endpoints are used:
- the redirection works as you document it for the default endpoint
- redirection after federated log-out does not work for AD FS 3.0 when the user was logged in using a non-default endpoint

Anyway, thanks for the clear description. One would wish that Microsoft documents their stuff to this level of detail.