This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 77%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
We have a homegrown webapp A and a 3rd party webapp B. Both are relying parties within our on-prem ADFS 4.0 server on a Windows 2019 Datacenter.
Webapp A uses WS-Federation and webapp B probably uses SAML 2.0 but not 100% sure. Webapp A has no signature certificate. Webapp B has a valid signature certificate.
A user can sign into webapp A and webapp B and sign out without any issues as long as this occurs in different browser sessions.
But if users are in webapp A and open another browser tab to go to webapp B, and try to sign out from webapp A, they get an error "MSIS7054: The SAML logout did not complete properly."
And ADFS Event Viewer shows the below exception:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)
Webapp A is a dotnet core MVC app. Here is the sign out code:
[Authorize]
public async Task SignOut()
{
//redirect to /signoutcallback after signout
await SignOutCustom("/signoutcallback");
}
[Authorize]
public async Task SignOutCustom(string redirectUri)
{
await HttpContext.SignOutAsync("Cookies");
var prop = new AuthenticationProperties { RedirectUri = redirectUri };
//redirect to provided target
await HttpContext.SignOutAsync("WsFederation", prop);
}
[AllowAnonymous]
public ActionResult SignOutCallback()
{
if (User.Identity.IsAuthenticated)
{
// Redirect to home page if the user is authenticated.
return RedirectToAction("Index", "Home");
}
return View();
}
Could you share a Fiddler trace maybe? That might help.
Fiddler will capture some confidential information too. Is there any other option?
Why would sign out from webapp A fail ONLY if webapp B is also opened in another tab?
Any ideas on what the error I posted means? It does not translate into anything meaningful/useful I can troubleshoot with. Maybe ADFS team might provide some insight?
You can edit Fiddler traces to replace URLs and remove passwords and API keys.
Do you need decrypted Filddler trace?
For Fiddler, do you need headers only, or complete sessions?