Contrib.social

"Error encountered during processing SAML single-logout response" with Microsoft ADFS, Azure AD, Entra IdP

Open on Drupal.org β†’
Created on 8 May 2025, 4 months ago

Problem/Motivation

I'm creating this issue just to document the setting that allowed us to fix the logout process after a couple hours of debugging and searching...

We're using a Microsoft Entra IdP, and users were seeing this error after going to the SAML logout page and getting redirected back to the site home page:

Error encountered during processing SAML single-logout response; details have been logged.

In the watchdog logs, we saw this:

RuntimeException encountered during processing SAML single-logout response:
Error(s) encountered during processing of SLS response.
Type(s): invalid_logout_response; reason given for last error: 
Signature validation failed.
Logout Response rejected in Drupal\samlauth\SamlService->sls() (line 819 of /var/www/html/web/modules/contrib/samlauth/src/SamlService.php).

The solution is to check the "Retrieve logout signature parameters from $_SERVER['REQUEST']" box on the "SAML communication setup" form:

This will set the $retrieveParametersFromServer value to TRUE in some calls to the SAML PHP Toolkit.

We found that variable in this issue for the SAML PHP Toolkit:

https://github.com/SAML-Toolkits/php-saml/issues/433

Then, we came back to grep this module's code to search for how to set it. In that issue, users mention that this setting fixed the issue with Azure AD, too.

Proposed resolution

Again, this issue is mostly to document things for the next person that tries to Google the error message.

The only "fix" this module might need is to update the description text of that setting field to give some more details. I saw that setting, but didn't realize it was applicable and would solve my problem. Maybe that text could be changed to something like this?

Validation of logout requests/responses can fail on some IdPs (including Microsoft ADFS, Azure AD, Entra, among others) if this option is not set. This happens independently of the "Strict validation" option.

Maybe if I saw that, I would have thought "Hey! Maybe that applies to me?" and tried it earlier?

πŸ’¬ Support request
Status

Active

Version

3.0

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States jrb Raleigh-Durham Area, NC, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @jrb
  • Merge request !30Issue #3523487: Update description for "Retrieve logout signature parameters... β†’ (Merged) created by jrb
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jrb Raleigh-Durham Area, NC, USA

    I created an MR with that text change.

  • Pipeline finished with Success
    4 months ago
    Total: 220s
    #492750
  • Pipeline finished with Skipped
    4 months ago
    #498162
  • First commit to issue fork.
  • Comment 4 months ago β†’
    System Message
  • Comment 4 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Thank you! This kind of 'maintenance from users' is exactly what this module needs.

    (Per the giant comment above the code line that you changed: I think that actually, the option should not exist / should be "on with automatic fallback" in the PHP-SAML library, so that Microsoft IdPs work by default. But it seems I won't get to discussing that and also actually convincing the maintainers that this is true...)

  • Comment 3 months ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed 10 days ago
  • Comment 10 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States karenann

    Outstanding!

    The screen message I was getting was:

    Error(s) encountered during processing of SLS response. Type(s): invalid_logout_response; reason given for last error: Signature validation failed. Logout Response rejected

    But in Watchdog, I was getting was with /saml/acs and read:

    While processing SAML authentication response, code leaked cacheability metadata. This indicates a bug somewhere (but it is hard to pinpoint where): if the same code is called in other scenarios too, it may cause fatal crashes, or bloat the render cache unnecessarily. Please investigate. Metadata: i:6;:O:37:"Drupal\Core\Render\BubbleableMetadata":4:{s:16:"*cacheContexts";a:0:{}s:12:"*cacheTags";a:0:{}s:14:"*cacheMaxAge";i:-1;s:14:"*attachments";a:0:{}}

    Checking the box for "Retrieve logout signature parameters from $_SERVER['REQUEST']" solved this.

    Thank you so much!!!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024