SAML: IDP initiated saml logout not working

idangadot · ‎03-12-2017

Hi,

I configured my IDP (a trial PingOne instance) to initiate a SAML logout session (by navigating to

https:// sso.connect.pingidentity.com/sso/initslo )

This means Ping sends ServiceNow a LogoutRequest, and expects a LogoutResponse.

I tried configuring navpage.do as the SAML consumer, but this does not kill the session.

obviously /logout.do works but that just initiates the SAML logout again (and sends a LogoutRequest to Ping)...

I couldn't find any SSO scripts that handle a LogoutRequest from the IDP...

Any ideas?

thanks.

nthumma · ‎10-25-2017

idangadot we have the same issue , did you resolve your issue.

idangadot · ‎10-25-2017

Unfortunately no,

We realized that (a) the SLO flow is too surprising for the user (imagine logging out in one app and getting logged out of all others),

And (b) — probably because of (a) — none of the other SaaS apps/IDPs we use fully support it anyway…

raulshred · ‎11-02-2017

Similar issue here.

After proper SSO validation with our own IDP we can access ServiceNow. Later we trigger a logout from our application but the logout process is not triggered instead we are redirected to ServiceNow.

Steve Kelly · ‎08-06-2019

We are having the exact same issue. Did you ever come up with a solution or workaround for this?

Most of our systems use ADFS, and when ServiceNow is the first Service Provider accessed, subsequent logout requests from other apps in the same browser session redirect to ServiceNow.

Currently we have a separate ADFS access policy configured to get around the issue, but this defeats the purpose of SSO...