We are using SAML 2.0 with ADFS hosted on Windows Server 2016. SSO is working. Users can successfully log into the ADFS identity provider and are redirected to the relying party and the SAML token is decrypted, assertions are read, and the user is successfully logged in. So far, so good.
SLO with ADFS and SAML 2.0 is not as clear. The OASIS specification (https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) includes the following guidance on creating SAML 2.0 LogoutRequest. On page 33, the process for issuing the LogoutRequest is described as follows:
- LogoutRequest issued by Session Participant to Identity Provider In step 1, the session participant initiates single logout and terminates a principal's session(s) by sending a LogoutRequest message to the identity provider from whom it received the corresponding authentication assertion. The request may be sent directly to the identity provider or sent indirectly through the user agent.
How is this step applied to ADFS? Specifically:
What endpoint on ADFS should the LogoutRequest be sent to? If it is a POST request should the XML be submitted in the body? If not, how should it be packaged?
The majority of documentation we have found online that discusses SLO on ADFS uses WS-Federation rather than SAML 2.0.
