This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 21%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
I have created an enterprise application for our Citrix ADC (aka: Netscaler).
Login is successful, but the logout fails.
Message:
Sorry, but we’re having trouble signing you in.
AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.
After I refresh my browser, then it proceeds successful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 62%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Alright, I resolved the issue by setting the 'Logout Binding' on the Netscaler SAML Authentication Server to 'redirect', rather than 'post'. No changes need to be made to the Enterprise App in AAD, the logout URL in the EA can stay blank.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 99%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Same scenario here. Changing the Logout Binding on Netscaler, as per GregorNZS-8774, fixed this for me. Netscaler 12.1 55.18.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We tested this as we had similar issues. This did not fix it alone. The logoff results were inconsistent. Citrix support provided result of clearing the Single Logout URL and selecting the More -option "Force Authentication". We have the Logout Binding set to Redirect.
@Maarten de Vreeze You need to navigate to Azure AD > Enterprise Applications > Citrix Netscaler > Single Sign-on and set Basic SAML Configuration > Logout URL > https://login.microsoftonline.com/your_tenant_guid/saml2. At the logout, the application should redirect you to this URL with a SAML logout request as query parameter as highlighted below:
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.
I'm also seeing this error. The Netscaler correctly redirects to the logout URL 'https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0' but the browser shows error AADSTS20012. Refreshing the page, logs the session out.
If I add a logout URL to the enterprise app, https://login.microsoftonline.com/**xxx**/saml2, nothing changes.
Is there a fix for this?
I have created a support call for this with Citrix support. Analysis from both Microsoft support and Citrix support, is that the SAML-logout request is malformed. Next step with Citrix support is to upgrade the Netscaler. If error is persistent after upgrade, we will reopen the case.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 26%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi!
Have you been able to resolve this issue?