Possible Fix for ADFS 2.0 SingleLogout with ServiceNow

10 Comments

1. 

   Richard Gilmour on January 5, 2012 at 1:56 am

   Hi John,

   Thanks, that works well! I think you’re missing a closing bracket on your “if” statement before the action:

   if (Exception.Message == “MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.”){
   Response.Redirect(System.Web.Configuration.WebConfigurationManager.AppSettings[“signoutredirect”]);
   }

   Thanks also to Stephen!

   Best regards
   Richard

2. 

   John Andersen on January 5, 2012 at 6:14 am

   Thanks Richard, I have corrected the text!

3. 

   John Hefferman on March 22, 2012 at 12:13 pm

   Hi Richard,

   Thanks for all the SSO information. I had a couple of questions:

   Do you know if Service Now’s SingleLogout functionality is working any smoother with FS since the latest release?

   Have you heard of any adverse effects that modifying the error.aspx.cs file on the FS server might have on other services linked to the site’s FS SSO?

   Best Regards,
   John

4. 

   John Andersen on March 22, 2012 at 12:25 pm

   @John H

   The latest release of ServiceNow does not have any SLO enhancements that I know of.

   I have no knowledge on the second question and will leave that for someone who knows better than me.

   -John

5. 

   John Hefferman on March 23, 2012 at 12:54 am

   Ok, thanks all the same, we will see about testing the workaround.

   John

6. 

   John Hefferman on March 25, 2012 at 5:10 am

   Hi John,

   We have tested it, but are having some problems getting the sign out to work in conjunction with other sites. For instance, if you login to Service Now and then click the logout button, you are logged out of the instance but all other SSO websites remain logged in.

   What’s worse, once the user has logged into service now, it becomes impossible to logout of any other application until the browser is closed. Logging out of another application, does not result in a SN logout either.

   One question, what exactly is the ‘signoutredirect’ in the line Response.Redirect(System.Web.Configuration.WebConfigurationManager.AppSettings[“signoutredirect”]); ? We don’t have this property in the configuration.

   Maybe J Stephen Kowski and Richard Gilmour’s organisations only have Service Now linked to their Federation Service login so any issues logging out multiple sites is not an issue? I doubt it though.

   Would you be able to pass my e-mail on to them in case they are willing to provide any advice? We already spent quite some effort last year trying to solve it with the SN support/developers but this didn’t produce any fruit, and getting Service Now to logout properly is becoming rather urgent.

   Cheers,
   John

7. 

   John Andersen on March 26, 2012 at 5:53 am

   @John…Forwarded your comments on, but not sure it will get you a response. I would recommend chatting with MS support on this. If you do figure anything out, please reach out to me and we can share with the rest of the world on how to make this happen with ADFS and ServiceNow.

8. 

   John Hefferman on March 26, 2012 at 6:44 am

   Ok thanks very much,
   John

9. 

   Frank on May 23, 2013 at 9:07 pm

   This is not a solution. This is a Bandaid for ServiceNow’s failure to implement SAML 2.0 SLO, and it’s not even a good Bandaid . The modification you are making to the error page is hiding a REAL sign-out problem. This entire article should be taken down. The solution is for SN to implement SLO, rather than faking WS-Fed sign-out for a SAMLP session.

10. 

    Sameera Perera on January 5, 2015 at 6:56 pm

    I think the solution provided in the reference below is a better solution for the problem.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b562c9a5-6d05-4a19-bd39-cb1bf9f77c4a/adfs-and-google-apps-sso-signout-url?forum=winserverDS