Alright, I resolved the issue by setting the 'Logout Binding' on the Netscaler SAML Authentication Server to 'redirect', rather than 'post'. No changes need to be made to the Enterprise App in AAD, the logout URL in the EA can stay blank.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have created an enterprise application for our Citrix ADC (aka: Netscaler).
Login is successful, but the logout fails.
Message:
Sorry, but we’re having trouble signing you in.
AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.
After I refresh my browser, then it proceeds successful.
Alright, I resolved the issue by setting the 'Logout Binding' on the Netscaler SAML Authentication Server to 'redirect', rather than 'post'. No changes need to be made to the Enterprise App in AAD, the logout URL in the EA can stay blank.
@Maarten de Vreeze You need to navigate to Azure AD > Enterprise Applications > Citrix Netscaler > Single Sign-on and set Basic SAML Configuration > Logout URL > https://login.microsoftonline.com/your_tenant_guid/saml2
. At the logout, the application should redirect you to this URL with a SAML logout request as query parameter as highlighted below:
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.
I'm also seeing this error. The Netscaler correctly redirects to the logout URL 'https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0' but the browser shows error AADSTS20012. Refreshing the page, logs the session out.
If I add a logout URL to the enterprise app, https://login.microsoftonline.com/**xxx**/saml2, nothing changes.
Is there a fix for this?
I have created a support call for this with Citrix support. Analysis from both Microsoft support and Citrix support, is that the SAML-logout request is malformed. Next step with Citrix support is to upgrade the Netscaler. If error is persistent after upgrade, we will reopen the case.