We have a Google Apps account that we use for most of our work. We also use AD FS 3.0 as an SSO provider to authenticate users. Everything works great with the sign in process. However when signing out, it all falls to pieces.
I followed a guide a long time ago to get it setup and the verified the settings with this guide and checked a few others and the settings should be correct.
When signing out from a Google page, we get redirected to our AD FS sign out url (https://<domainname>/adfs/ls/?wa=wsignout1.0)
, then get a message that says "You have been successfully signed out". However, going back to our custom sign in URL for Google (mail.domainname)
we are signed straight back into Google as if we didn't hit the sign out button.
I've done some digging around and apparently this is a larger issue. This post on Google Product Forum has the exact issue I am having and someone suggested to contact Google Support. After on the phone for about an hour with Google support, they decided that the issue was from our AD FS server running some kind of script that keeps us logged in and I should contact our web developer...
The problem is somewhere within AD FS but I cannot seem to figure it out and hoping someone has come across the same issue and would be able to provide some guidance.
The problem here is you've not been provided appropriate guidance from Google as to how to configure a SAML capable IDP such as AD FS to federate with Google apps.
You should not be using adfs/ls/?wa=wsignout1.0 as this is how you use ws-federation protocol to kickoff a signout. You are mixing wsfed and SAML use. See http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html for more details on wsfed signout syntax. /adfs/ls is the passive endpoint of AD FS that processes both wsfed and SAML.
I expected Google to provide some advice similar to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-google-apps-tutorial (but corresponding to AD FS) on how to configure the AD FS side. https://support.google.com/a/answer/60224?hl=en seems relevant but I don't see them clearly state the signin/signout URLs and the relevant bindings supported (post vs redirect) or google federation metadata to glean that info from. From what I can tell, there is no SAML single logout support available. If it is, the docs are not easily discoverable.
You need Google to send a SAML logout request to /adfs/ls and likewise you need to configure AD FS with a URL on where at Google apps to send a SAML logout response. and that logout response is not to be sent to /adfs/ls/?wa=wsignout1.0. Google should be able to answer this.
I am no expert in Google apps so I cannot comment anymore. Assuming you get paid support from Google, you should try to escalate within Google support to get a better answer.