SingleLogout with ServiceNow and AD FS

Many ServiceNow/ADFS clients have been having issues with their SAML SingleLogout from their ServiceNow instance to their ADFS Identity Provider (IdP).

I recently worked with a talented systems engineer, J Stephen Kowski, who was able to get SingleLogout to work for his company.

Here is a quick summary of what changes he did to get this to work.

Customize the SingleLogout URL in ServiceNow

In the SingleLogout URL property of ServiceNow, change the URL to something like:

https://s.myIdP.com/adfs/ls/?wa=wsignout1.0&wreply=https://s.myIdP.com/adfs/ls/?wa=wsignoutcleanup1.0

Customize the AD FS error script

Modify the file located in your “adfs/ls/” directory on your IdP web server. The file is: “error.aspx.cs”.

At the bottom of the file add the following code:

1
2
3
4
if (Exception.Message == "MSIS7055: Not all SAML session participants
        logged out properly. It is recommended to close your browser."
){
   Response.Redirect(System.Web.Configuration.WebConfigurationManager.AppSettings["signoutredirect"]);
}

The above code should handle a common error that has been known to occur between service providers and ADFS.

Credits

As mentioned above, the credit for this solution goes to J Stephen Kowski. your results may vary according to your set up and environment, but let me know if it helps.