You are viewing the Kantega SSO legacy documentation. The new documentation site is:

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


titleRead before enabling SLO if initial ADFS setup was done before Kantega SSO 3.5.0

If you configured ADFS using the provided PowerShell script or manual setup instructions before Kantega SSO 3.5.0, enabling single logout may break login. We recommend applying the instructions below before enabling SLO. You'll know you have encountered the issue if you start seeing RESPONSE_MISSING_NAME_IDENTIFIER when trying to log in:

titleRead more

Kantega SSO requires a name identifier claim in the SAML Response from ADFS (or any other IDP) when SLO is enabled. This uniquely identifies the user's IDP session, and we need it to be able to initiate SLO later. Most IDPs send it by default but ADFS only does so when explicitly configured. Unfortunately, older versions of our PowerShell script for ADFS did not include it. From Kantega SSO 3.5.0 onwards, it's included by default and you should be able to disregard the rest of this section.

To remedy this, you can either:

  • Rerun the setup wizard and create a new configuration using the provided script which as of Kantega SSO 3.5.0 and newer configures the name identifier claim by default.
  • Or: Just add the claim manually to the relying party you already have. Usually easier in an existing environment.

To add the claim manually (or check if the claim is already there or not if you're unsure of which version was used for initial setup), open the ADFS AD FS Management application on your Windows server and navigate to Relying Party Trusts. Locate and right click the relying party in question and "Edit Claim Issuance Policy":

In the next dialog, add "Name ID" as an outgoing claim as shown in the below screenshot.

ADFS should now send the required name identifier claim, and you can enable SLO without breaking login.