This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 77%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
We have an ADFS 4 server and a proxy server, and about 10 relying parties set up for various software vendors.
After importing a new relying party metadata file into ADFS, the relying party properties in ADFS show empty Signature and Encryption tabs.
Sign in works fine.
But relying party is not logging out the user after the user clicks log out. It redirects the user to the successfully signed out page, but if a protected page is accessed after signing out, it lets you in as the previously signed in user.
What can be tried to troubleshoot this issue?
Here is relevant files:
Looking at the metadata of the application, there isn't a logout endpoint.
You need to reach out to the application's owner/developers and asks them to provide (or implement if not there already) a logout endpoint.
The application developers allow a configurable redirect URL.
Will the logout succeed if that URL is configured to https://<adfs_server>/adfs/ls/?wa=wsignout1.0, or, if a redirect after logout is desired, then https://<adfs_server>/adfs/ls/?wa=wsignout1.0&wreply=https://www.fabrikam.com/
In other words, will the logout succeed if the relying party sends a GET (or POST?) request to the ADFS wsignout1.0 URL? I guess I could test this myself, but just asking if theoretically that's how it's supposed to work.
That is not a valid endpoint for SAML log-out. This is a WS-Federation URL. Unless your application is using WS-Federation? The metadata shows an SAML2.0 endpoint type...
The application has to destroy the user's cookies. Only the application can do it. And because the application can be used either in SP-Initiated flow and IDP-initiated flow, you need to make sure that the Relying Party Trust in ADFS has the URL of the endpoint to hit on the application side to destroy the cookies.