This document describes how to configure Single Logout for AD FS. For general information, refer to Single Logout.
Read before enabling SLO if initial ADFS setup was done before Kantega SSO 3.5.0
If you configured ADFS using the provided PowerShell script or manual setup instructions before Kantega SSO 3.5.0, enabling single logout may break login. We recommend applying the instructions below before enabling SLO. You'll know you have encountered the issue if you start seeing the following error when trying to log in:
The reason is Kantega SSO requires a name identifier claim in the SAML Response from ADFS (or any other IDP) when SLO is enabled. That is, this is received when the user logs in and is needed to be able to initiate SLO later. Most IDPs send this by default but ADFS only does so if explicitly configured to do so, and older versions of our PowerShell script did not include it. From Kantega SSO 3.5.0 onwards, it's included by default and you can disregard this section.
To remedy this, you can either:
- Rerun the setup wizard and create a new configuration using the provided script which as of Kantega SSO 3.5.0 and newer configures the name identifier claim by default.
- Or: Just add the claim manually to the relying party you already have. Usually easier in an existing environment.
To add the claim manually (or check if the claim is already there or not if you're unsure of which version was used for initial setup), open the ADFS Management application on your Windows server and navigate to Relying Party Trusts. Locate and right click the relying party in question and "Edit Claim Issuance Policy":
In the next dialog, add "Name ID" as an outgoing claim as shown in the below screenshot.
ADFS should now send the required name identifier claim, and you can enable SLO without breaking login.
Begin configuration by navigating to your ADFS IDP and select Single Logout from the navigation menu. As of Kantega SSO 3.5.0 The logout URL should be populated and you can enable Single Logout and click "Save":
Read the following if the SAML provider logout URL for ADFS isn't already configured:
If the ADFS logout URL isn't specified already, it's most likely becaues your configuration predates Kantega SSO 3.5.0 where this URL wasn't being imported yet. It needs to be configured before Single Logout will work. You can either fill it manually, or do a metadata refresh against ADFS to obtain it. To refresh from metadata, use the indicated link in the nav menu. The ADFS metadata URL should already be on file and all you should have to do is click save. You may optionally upload a file.
Now go back to the Single Logout menu and if the logout URL is now populated, enable SLO and save.
We next need to configure ADFS. This will also be done by doing a metadata refresh. Open the ADFS Management application and navigate to Relying Party Trusts. Find the relying party for your application and right click it for this menu:
Click the Update button in the dialog that pops up.
To verify the import was successful, you may optionally right click the relying party again and this time select Properties. Navigate to the Endpoints tab and you should see that SAML Logout Endpoints have been detected:
Single Logout should now be enabled and working for new AD FS logins.
- Clicking logout from the Atlassian app should now also terminate the user's ADFS session.
- Users can also initiate logout from ADFS (IDP initiated logout), which will now also notify/terminate the Atlassian session (if initiated in the same browser - see section on caveats for more information).