About error at the time of SAML authentication cooperation of cloud application with Azure AD as IdP.

かわはらだ 21 Reputation points
2021-12-09T02:17:52.26+00:00

We are considering using Azure AD as an IdP as a SAML authentication linkage with cloud applications.

After implementing the enterprise application settings and single sign-on settings from the AzureAD Portal, we confirm login and logout from the application side.

In the above environment, login is completed normally, but when you try to logout on the application side, error AADSTS750054 occurs and logout is not completed normally.

The IdP logout URL specified on the SP side is
https://login.microsoftonline.com/ [tenant ID] / saml2

(If you specify https://login.microsoftonline.com/common/oauth2/v2.0/logout, we have confirmed that the logout is forcibly successful.)

At the time of logout
https://login.microsoftonline.com/ [tenant ID] / saml2

Please tell us about the causes and countermeasures for the above events.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,369 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,631 Reputation points
    2021-12-09T11:57:33.48+00:00

    Hello @かわはらだ ,

    Thanks for reaching out.

    When a user clicks on the signout button, I would want you to check if your application is generating the "LogoutRequest" message each time. Without this message, by default, Azure AD will return you the same problem 'AADSTS750054' , this is due to the SAML-P RFC standard.

    So if you use SAML endpoint https://login.microsoftonline.com/your tenant/saml2/ to log out of Azure AD, your application must include the 'LogoutRequest' message as query string parameters in HTTP request as shown below:

    HTTP GET binding https://login.microsoftonline.com/{your_tenant}/saml2?SAMLRequest=**{####with the LogoutRequest xml encoded####}**

    156301-image.png

    For an example, lets say application just calling following endpoint https://login.microsoftonline.com/{your_tenant}/saml2/ without building a LogoutRequest then we would end up in the same situation.

    156311-image.png

    So to fix this issue make sure your application is capable of building LogoutRequest, in case if your application couldn't build then try using alternative workaround for logout by calling https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 or https://login.microsoftonline.com/common/oauth2/v2.0/logout.

    To learn more about:
    Error AADSTS750054 - https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts750054-saml-request-not-present
    Single Sign-Out SAML Protocol - https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol

    I hope this was helpful.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.