In a couple of my posts I noted that the Single Logout would need to be signed, and seemed to work fine despite a message that's confusing to end users:
Clicking 'OK' you'd end up being redirected to the IdP.
While everything appears to function well, we all understand how this can generate additional questions/tickets/work due to end users being helpful and reporting errors.
I have noticed this on SAML IdP platforms that perform an HTTP POST by default for Single Logout get this. Some of these platforms include (but not limited to):
Active Directory Federated Services (AD FS)
Okta
Ok great, so now that we know what causes this, what can I do about it?
Active Directory Federated Services (AD FS):
For AD FS the fix is relatively simple, you just need to change your SAML Logout endpoint binding from POST to Redirect:
IN AD FS manager right click on the relying party trust
Click on the Endpoints tab
Change the Logout endpoint binding to Redirect
This should take care of the error for AD FS.
Okta:
Unfortunately Okta ONLY sends HTTPS POST on Single Logout, there is no option for HTTPS redirect. I believe Fortinet is working on allowing SAML SLS Post requests in a future version of FortiOS.
Azure AD, FortiAuthenticator don't seem to have this issue as they support the HTTPS GET (redirect) on logout. Feel free to reach out with other SAML IdP platforms and your experiences.
Thank you for reading, I hope this helps.
Madman out!