I work with ADFS 2.0 by SAML using spring-security-saml2-core (1.0.0.RC2). I use HTTP-POST binding. But I have a problem with SingleLogout.

Application receive LogoutRequest

<samlp:LogoutRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
     Destination="https://myhost:8443/my/saml/SingleLogout/alias/defaultAlias" 
     ID="_438dcef8-cd64-4e04-8e11-e87705f26b6c" 
     IssueInstant="2014-08-01T10:53:14.641Z" 
     NotOnOrAfter="2014-08-01T10:58:14.641Z" 
     Version="2.0">
     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://adfs-server.local/adfs/services/trust</Issuer>
     <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">nata</NameID>
     <samlp:SessionIndex>_34e48828-a6b5-47c2-96fd-595f9d0a88b7</samlp:SessionIndex>
</samlp:LogoutRequest>

And send LogoutResponse

<saml2p:LogoutResponse 
     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
     Destination="https://adfs-server.local/adfs/ls/" 
     ID="a2ddb014h7d7558f3cd5hfge981bicf" 
     InResponseTo="_438dcef8-cd64-4e04-8e11-e87705f26b6c" 
     IssueInstant="2014-08-01T10:53:43.808Z" 
     Version="2.0">
     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://myhost:8443/my/saml/metadata/alias/defaultAlias</saml2:Issuer>
     <saml2p:Status>
             <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </saml2p:Status>
 </saml2p:LogoutResponse>

But ADFS throw error of closing SAML-endpoint:

MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.

My configuration for SingleLogout:

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map request-matcher="ant">
        <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
        <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
        <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
        <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
        <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
    </security:filter-chain-map>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
    <constructor-arg type="org.springframework.security.web.authentication.logout.LogoutSuccessHandler" ref="successLogoutHandler"/>
    <constructor-arg>
        <array value-type="org.springframework.security.web.authentication.logout.LogoutHandler">
            <ref bean="logoutHandler"/>
        </array>
    </constructor-arg>
</bean>
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
    <property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
    <property name="invalidateHttpSession" value="false"/>
</bean>

:-) ouch this was confusing..... And cross-posting??

First of all: My ADFS servers 2.x, on S2008(R2) and S2012 do not have that message. So I believe it cannot be ADFS 2.0. I assume that you are working on the ADFS server on Windows Server 2012R2 (which is never identified as 2.0). :-(

The message (about AuthnRequest vs. LogoutResponse) does seem totally out of place. It looks like you ran in to a minor (super confusing) bug of ADFS on S2012R2. Because ADFS 2.0 would have said something else in that case. It would have said [in the ValidateSignatureRequirements(SamlMessage) method]: "MSIS1014: SAML LogoutRequest and LogoutResponse messages must be signed when using SAML HTTP Redirect or HTTP POST binding."

So you have a bug to file at Microsoft (a reference to this description could help you). Meanwhile you should ask the SP to sign the LogoutResponse. I am somewhat surprised that ADFS did not sign the LogoutRequest. It normally does sign the LogoutRequest.

paullem is right. Our Windows Server is 2012 R2, ADFS 3.0.

SAML LogoutRequest messages must be signed. Error was fixed. We set parameter requireLogoutResponseSigned in ''true" in ExtendedMetadata.

<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
    <property name="local" value="false" />
    <property name="idpDiscoveryEnabled" value="false" />
    <property name="requireLogoutResponseSigned" value="true"/> 
</bean>