ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error when logging out of the EDR appliance console using AD FS (Active Directory Federated Services) as your IdP

book

Article ID: 200520

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When users logout of the EDR appliance console, if the IdP session has already been closed and the IdP failed the logout request, the EDR appliance console logon page contains the following error message:

Unable to successfully log out of SSO.  Contact your administrator to ensure that a correct and valid Symantec EDR sso.crt is uploaded to the IDP.  Also ensure that the IDP contains Symantec EDR's correct SP Issuer value.
 

Cause

This message might also appear in the following scenario: 

Assume an administrator sets up two Symantec EDR appliances for single sign-on:  Appliance A and Appliance B. 

A user clicks the SSO link on Appliance A and the browser goes to the AD FS login page.  The user inputs his credentials and logs into Appliance A.  Then the user clicks the SSO link on Appliance B. 

Where the SSO session has been opened by Appliance A, the user logs into Appliance B automatically.  If the user logs out of Appliance A or Appliance B, AD FS will close the IdP session and redirect the page to the other EDR appliance.  When the user tries to logout from the EDR appliance left, the above error message appears because the IdP session has already closed and AD FS returns a logout failure response. 

Environment

Multiple Symantec EDR on-premises appliances with SSO enabled.

Resolution

Since the IdP session has been closed already, you can refresh the login page and the error message no longer appears.