Many ServiceNow/ADFS clients have been having issues with their SAML SingleLogout from their ServiceNow instance to their ADFS Identity Provider (IdP).
I recently worked with a talented systems engineer, J Stephen Kowski, who was able to get SingleLogout to work for his company.
Here is a quick summary of what changes he did to get this to work.
Customize the SingleLogout URL in ServiceNow
In the SingleLogout URL property of ServiceNow, change the URL to something like:
https://s.myIdP.com/adfs/ls/?wa=wsignout1.0&wreply=https://s.myIdP.com/adfs/ls/?wa=wsignoutcleanup1.0
Customize the AD FS error script
Modify the file located in your “adfs/ls/” directory on your IdP web server. The file is: “error.aspx.cs”.
At the bottom of the file add the following code:
1 2 3 4 | if (Exception.Message == "MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser."){ Response.Redirect(System.Web.Configuration.WebConfigurationManager.AppSettings["signoutredirect"]); } |
The above code should handle a common error that has been known to occur between service providers and ADFS.
Credits
As mentioned above, the credit for this solution goes to J Stephen Kowski. your results may vary according to your set up and environment, but let me know if it helps.
Hi John,
Thanks, that works well! I think you’re missing a closing bracket on your “if” statement before the action:
if (Exception.Message == “MSIS7055: Not all SAML session participants logged out properly. It is recommended to close your browser.”){
Response.Redirect(System.Web.Configuration.WebConfigurationManager.AppSettings[“signoutredirect”]);
}
Thanks also to Stephen!
Best regards
Richard
Thanks Richard, I have corrected the text!
Hi Richard,
Thanks for all the SSO information. I had a couple of questions:
Do you know if Service Now’s SingleLogout functionality is working any smoother with FS since the latest release?
Have you heard of any adverse effects that modifying the error.aspx.cs file on the FS server might have on other services linked to the site’s FS SSO?
Best Regards,
John
@John H
The latest release of ServiceNow does not have any SLO enhancements that I know of.
I have no knowledge on the second question and will leave that for someone who knows better than me.
-John
Ok, thanks all the same, we will see about testing the workaround.
John
Hi John,
We have tested it, but are having some problems getting the sign out to work in conjunction with other sites. For instance, if you login to Service Now and then click the logout button, you are logged out of the instance but all other SSO websites remain logged in.
What’s worse, once the user has logged into service now, it becomes impossible to logout of any other application until the browser is closed. Logging out of another application, does not result in a SN logout either.
One question, what exactly is the ‘signoutredirect’ in the line Response.Redirect(System.Web.Configuration.WebConfigurationManager.AppSettings[“signoutredirect”]); ? We don’t have this property in the configuration.
Maybe J Stephen Kowski and Richard Gilmour’s organisations only have Service Now linked to their Federation Service login so any issues logging out multiple sites is not an issue? I doubt it though.
Would you be able to pass my e-mail on to them in case they are willing to provide any advice? We already spent quite some effort last year trying to solve it with the SN support/developers but this didn’t produce any fruit, and getting Service Now to logout properly is becoming rather urgent.
Cheers,
John
@John…Forwarded your comments on, but not sure it will get you a response. I would recommend chatting with MS support on this. If you do figure anything out, please reach out to me and we can share with the rest of the world on how to make this happen with ADFS and ServiceNow.
Ok thanks very much,
John
This is not a solution. This is a Bandaid for ServiceNow’s failure to implement SAML 2.0 SLO, and it’s not even a good Bandaid . The modification you are making to the error page is hiding a REAL sign-out problem. This entire article should be taken down. The solution is for SN to implement SLO, rather than faking WS-Fed sign-out for a SAMLP session.
I think the solution provided in the reference below is a better solution for the problem.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b562c9a5-6d05-4a19-bd39-cb1bf9f77c4a/adfs-and-google-apps-sso-signout-url?forum=winserverDS