When users logout of the EDR appliance console, if the IdP session has already been closed and the IdP failed the logout request, the EDR appliance console logon page contains the following error message:
Unable to successfully log out of SSO. Contact your administrator to ensure that a correct and valid Symantec EDR sso.crt is uploaded to the IDP. Also ensure that the IDP contains Symantec EDR's correct SP Issuer value.
This message might also appear in the following scenario:
Assume an administrator sets up two Symantec EDR appliances for single sign-on: Appliance A and Appliance B.
A user clicks the SSO link on Appliance A and the browser goes to the AD FS login page. The user inputs his credentials and logs into Appliance A. Then the user clicks the SSO link on Appliance B.
Where the SSO session has been opened by Appliance A, the user logs into Appliance B automatically. If the user logs out of Appliance A or Appliance B, AD FS will close the IdP session and redirect the page to the other EDR appliance. When the user tries to logout from the EDR appliance left, the above error message appears because the IdP session has already closed and AD FS returns a logout failure response.
Multiple Symantec EDR on-premises appliances with SSO enabled.
Since the IdP session has been closed already, you can refresh the login page and the error message no longer appears.