Debugging an apparently successful logout

[adrianovaroli]

Hello,
I am still debugging our SP-initiated logout process against ADFS, using Net::SAML2 v0.55. What I have now is the following:
I send a logout request like this

my $logout_request = Net::SAML2::Protocol::LogoutRequest->new(
                issuer        => $SP_FEDERATIONMETADATA_URL,
                destination   => $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
                nameid         => [user email]
                session        => $sso_session_data->{"SSO_TOKEN"},
                id             => $sso_session_data->{"SSO_TOKEN"},            
);

Resulting in an XML string like

<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     IssueInstant="2024-07-05T14:15:28Z"
                     Destination="[SP app logout url]"
                     Version="2.0"
                     ID="_4f2ce110-df85-45a6-8e18-079c3b442356">
  <saml:Issuer>[our metadata xml]</saml:Issuer>
  <saml:NameID SPNameQualifier="[our metadata xml]"
               NameQualifier="[SP app logout url]">[user email]</saml:NameID>
  <samlp:SessionIndex>_4f2ce110-df85-45a6-8e18-079c3b442356</samlp:SessionIndex>
</samlp:LogoutRequest>

SessionIndex and the LogoutRequest ID attributes are both the token I got on login and which I use to create a session.
Now, what I see on logout is that, sometimes, the logout does work and takes me back to [SP app logout url] and on a following login it would ask for my credentials again, but on most cases, ADFS replies only with a "You've logged out correctly" page, not take me back to [SP app logout url].

People on the IdP side tell me ADFS has no logs, only error events in the case of actual errors, and they can't see anything there. I find this hard to believe (that even for debugging purposes ADFS would have no logs, even if disabled by default), and a google search tells me there's https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging. Am I wrong in considering that the admin log could show more information than just "large" error events?

I have tried validating our logout requests with https://www.samltool.com/validate_logout_req.php and that tells me they're valid.
Can you see anything in what we're doing that would be incorrect?

I need to write back to the IdP to try and get more help from them, but I want to have a solid foundation to do so, because they've been what could be described as "not forthcoming with helpfulness", to be nice.

[adrianovaroli]

Made an important (?) discovery: the logout flow works as intended when I wait about 10 minutes after login before logging out. I'll have to talk to the ADFS people about that.