Azure AD Servicenow SSO - Signout failed. The initiating application is not a participant in current

TatsianaK
Tera Contributor

4 weeks ago

Hi Community,
We are in the process of transitioning our ServiceNow instance from on-prem ADFS to an Azure Tenant for SSO. The expected behavior is that all users attempting to log in are routed to the Azure Tenant for authentication and single sign-on. In the back end, it still goes through ADFS.

We've used Servicenow documentation for setup: Create App in Azure, Create New IDP using App federation Metadata URL from Azure. 

In IDP we have changed NameID  to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. Certificate attached.

When testing the connection, login works but we are running into a logout issue: "Signout failed. The initiating application is not a participant in the current session." We've checked sessions, cleared cache, double-checked the configuration multiple times both in ServiceNow and Azure. Interestingly, the same setup works fine in our dev instance with no problems. The configuration is identical on both ServiceNow and Azure sides.

At one point we got the following error screen, but it is not consistent:

TatsianaK_0-1756826748905.png

 

We suspect there is some kind of timing issue on ADFS side in test env.

Has anyone experienced this issue before?
• Is there something specific to check when moving from ETFS to Azure Tenant?
• Any additional ServiceNow configuration related to logout that might differ from login?

Any insights would be greatly appreciated!

Thanks in advance.

0 Helpfuls
  • 387 Views
1 REPLY 1

Ravi Gaurav
Giga Sage
Giga Sage

3 weeks ago

Hi @TatsianaK 

You’ve done most of the right checks already (metadata, NameID, certificate, cache), so the fact that login works but logout fails points squarely at the SAML logout flow rather than basic SSO config. A few things to highlight from experience with similar ADFS → Azure transitions:

  • Login works, logout fails → usually a session mismatch.

  • Check in ServiceNow IdP record:

    • Logout URL = Azure SLO endpoint.

    • Single Logout enabled.

    • NameID format same for login & logout.

  • Use /saml.do?debug=true to see if a SessionIndex is passed. If Azure/ADFS doesn’t return it, logout will fail.

  • Compare dev vs prod LogoutRequest/Response — likely EntityID, Logout URL, or SessionIndex is different.

 

 

--------------------------------------------------------------------------------------------------------------------------


If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!

Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI

ï”— YouTube: https://www.youtube.com/@learnservicenowwithravi
ï”— LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
0 Helpfuls