Contrib.social

"Error encountered during processing SAML single-logout response" with Microsoft ADFS, Azure AD, Entra IdP

Open on Drupal.org β†’
Created on 8 May 2025, 28 days ago

Problem/Motivation

I'm creating this issue just to document the setting that allowed us to fix the logout process after a couple hours of debugging and searching...

We're using a Microsoft Entra IdP, and users were seeing this error after going to the SAML logout page and getting redirected back to the site home page:

Error encountered during processing SAML single-logout response; details have been logged.

In the watchdog logs, we saw this:

RuntimeException encountered during processing SAML single-logout response:
Error(s) encountered during processing of SLS response.
Type(s): invalid_logout_response; reason given for last error: 
Signature validation failed.
Logout Response rejected in Drupal\samlauth\SamlService->sls() (line 819 of /var/www/html/web/modules/contrib/samlauth/src/SamlService.php).

The solution is to check the "Retrieve logout signature parameters from $_SERVER['REQUEST']" box on the "SAML communication setup" form:

This will set the $retrieveParametersFromServer value to TRUE in some calls to the SAML PHP Toolkit.

We found that variable in this issue for the SAML PHP Toolkit:

https://github.com/SAML-Toolkits/php-saml/issues/433

Then, we came back to grep this module's code to search for how to set it. In that issue, users mention that this setting fixed the issue with Azure AD, too.

Proposed resolution

Again, this issue is mostly to document things for the next person that tries to Google the error message.

The only "fix" this module might need is to update the description text of that setting field to give some more details. I saw that setting, but didn't realize it was applicable and would solve my problem. Maybe that text could be changed to something like this?

Validation of logout requests/responses can fail on some IdPs (including Microsoft ADFS, Azure AD, Entra, among others) if this option is not set. This happens independently of the "Strict validation" option.

Maybe if I saw that, I would have thought "Hey! Maybe that applies to me?" and tried it earlier?

πŸ’¬ Support request
Status

Active

Version

3.0

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States jrb Raleigh-Durham Area, NC, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024