Picketlink 1.0.4 release
App Server JBoss 5.1
IDP : ADFS 2.0
- User accesses a protected page.
- System throws up a login box
- User enters valid credentials and is able to use the application
- User clicks logoff (?LLO=true or ?GLO=true)
The SP emits the following Logout request (via picketlink):
<ns3:LogoutRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" ID="ID_f574759d-a66e-4ee9-9677-b5dec28b5f9f" IssueInstant="2011-09-16T12:00:31.276+05:30">
Post which ADFS 2.0 promptly shows an error page with the following in the event log:
Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
Any idea why this doesn't work? Does the picketlink 1.0.4 release support logoff (with ADFS 2.0)?
As of version 2.0.1 this was not resolved. We used a workaround specific to our scenario to achieve this.
We invalidated the user session of the current application and hit a ADFS2-specific url to single-sign-out.
Something along the lines of:
<meta http-equiv="refresh" content="0;url=https://my.adfs2.server/adfs/ls/?wa=wsignout1.0" />
If the latest version doesn't work for you, you could try something similar for opensso (based on your specific scenario ofcourse).