I use Spring-Security-Saml sample app as a SP and ADFS 2.0 as an IdP. I followed instructions described here http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/ . After setting it up I can login into the system, but on global logout ADFS throws NullReferenceException (Event Id 303):
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityServer.Service.SamlProtocol.SingleLogoutService.LogoutNextSessionParticipant()
at Microsoft.IdentityServer.Service.SamlProtocol.SingleLogoutService.ProcessLogoutRequest(LogoutRequest logoutRequest, Boolean& validLogoutRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SingleLogoutService.ProcessMessage(SamlMessage samlMessage, BindingInformation bindingInformation, Boolean validResponseMessage, Boolean& validLogoutRequest)
I ran into this same problem, except in my case, I was using ADFS 3.0. Telling Spring Security SAML to sign the logout response fixed it for me. This is configured by setting requireLogoutResponseSigned on the ExtendedMetadata bean to true.
The null reference error message isn't very helpful. When I enabled tracing in the C:\Windows\ADFS\Microsoft.DeviceRegistration.ServiceHost.exe.config file, I got the following error message in the tracing log in Event Viewer.
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState)
Searching for that gives some more helpful results.