Dear ServiceNow Colleagues,
We're running a MSP-setup and have recently activated the plugin "Integration - Multiple Provider Single Sign-On Installer".
We recently established a test IdP in our enviroment, however we're experincing issues with Logout.
Information:
- We are running ADFS 3.0
- Login works fine from..
Whenever users tries to press "Logout"-button in the upper right corner the following happens:
- The user gets either https://test-kadfs2020.cloudapp.net/adfs/ls/?wa=wsignout1.0 in the frame called gsft_main or the user receives a duplicate of instancename.service-now.com in gsft_main.
- When the user hits the "Logout" button a second time they get redirected to https://instancename.service-now.com/external_logout_complete.do
- The users visits https://instancename.service-now.com and is still logged-in.
The following settings are made:
ADFS - Endpoint setup
ServiceNow - IdP setup
I'm grateful for any kind of response that I can receive from the community.
EDIT: I've recently spoken to ADFS Implementation team and they explained that the issue may be in that SingleLogoutRequest is set to /adfs/ls/?wa=wsignout1.0 which is supposed to be a WS-FED SignOut Endpoint for ADFS, For SAML implementations I should use /adfs/ls/. However If I use /adfs/ls/ as SingleLogoutRequest then CORS-rules kicks in and says that that its not from same ORIGIN due to that it's placed in a frame(gsft_main). It also seems that none has successfully implemented SingleLogout with ServiceNow at least not OOB.
EDIT 2: I finally managed to solve this by ending up with the following solution.
- Created a new UI Page called sso_logout.do
- Made the UI Page public
- In the UI Page fill-in the following:
HTML
<?xml version="1.0" encoding="utf-8" ?>
<j:jelly trim="false" xmlns:j="jelly:core" xmlns:g="glide" xmlns:j2="null" xmlns:g2="null">
<script>
$j(document).ready(function() {
deleteAllCookies();
var logoutparam = getParmVal('logout');
breakout_of_frame();
deleteAllCookies();
var url = 'https://' + logoutparam + '/adfs/ls/?wa=wsignout1.0';
$j(location).attr('href',url);
});
</script>
</j:jelly>
Client Script
function deleteAllCookies()
{
var cookies = document.cookie.split(";");
for(var i=0; i < cookies.length; i++) {
var equals = cookies[i].indexOf("=");
var name = equals > -1 ? cookies[i].substr(0, equals) : cookies[i];
document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";
}
}
function breakout_of_frame()
{
if (top.location != location)
{
top.location.href = document.location.href;
}
}
function getParmVal(name)
{
var url = document.URL.parseQuery();
if(url[name])
{
return decodeURI(url[name]);
}
else
{
return;
}
}
Navigate to Identity Providers and edit current IdP
Change Identity Provider's SingleLogoutRequest into sso_logout.do?logout=youradfs.domain.tld
Change External logout redirect into sso_logout.do
Finally test that it's working and that you are logged-out.
Small analysis on why it's not working for US and probably YOU
1. We use MultiSSO Plugin
2. We are on ADFS 3.0 and not ADFS 2.0. By default, ADFS 3.0 responses contain the "X-Frame-Options: DENY" HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks, this gives a blank white page in ServiceNow iFrame called gsft_main.
3. We are running High Security plugin.
So when we used a custom logout page to first break-out from the iFrame and then continued with the logout procedure it started to work. Also as a side-note I had X-Frame-Options enabled in ServiceNow instance and I ran into some issue where I still was logged-on, after turning X-Frame-Options OFF and then ON everything started to work. I hope this solution helps others.
Hi, i think this can solve the issue with no additional scripts.
Solution: Remove the value: external_logout_complete.do from External logout redirect
Reason: when you configure the logout url at ADFS side you have already specified in the Response URL parameter the destination for the finished user session.
