SAML Single Logout using Sustainsys and Azure giving Message is invalid error

Question

Details:

I have a custom service provider with Azure AD as our identity provider. I have been able to achieve Single Sign On. The problem arises when attempting global Single Logout. I construct the Logout Request and send it as follows :

CommandResult commandResult = CommandFactory.GetCommand(CommandFactory.LogoutCommandName).Run(requestData, Options);

var responseWrapper = new HttpResponseWrapper(HttpResponse);
commandResult.ApplyCookies(responseWrapper);

commandResult.Apply(responseWrapper);

Following error pops up on Azure:

Sorry, but we’re having trouble signing you in.

AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.

Upon refreshing the page, Azure says they have successfully logged me out. On the service provider side, I see my initial Logout Request with signature and x509 certificate. After the refresh, Azure sends a SAML Logout request (instead of a logout response) back to the LogoutURL.

SAML Config:

 <sustainsys.saml2 entityId="serviceProviderURL.net" 
                      publicOrigin="serviceProviderURL.net/Resource" 
                      modulePath="/Saml2"
                      returnUrl="serviceProviderURL.net/homePage.aspx" authenticateRequestSigningBehavior="Never">
    <identityProviders>
        <add entityId="AzureProvidedID" signOnUrl="AzureProvidedURL/saml2" logoutUrl="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" allowUnsolicitedAuthnResponse="true" binding="HttpPost" wantAuthnRequestsSigned="false">
            <signingCertificate fileName="~/Resources/Dev-Regression-SSO.cer" />
        </add>
    </identityProviders>
</sustainsys.saml2>

Signing certificate is always null unless I added a service certificate. I add the service certificate for the identity provider which has the signing certificate I get from Azure for this SSO enterprise application. I have also uploaded the service provider .pfx file to the same enterprise Application. Following is my code to add the pfx and certificate.

        try
        {
            var signingKeyPath = AppDomain.CurrentDomain.SetupInformation.ApplicationBase;

            var X509Cert = new X509Certificate2(signingKeyPath + "\\Dev-Regression-SSO.cer");
            options.IdentityProviders.Default.SigningKeys.AddConfiguredKey(X509Cert);

        }
        catch (Exception ex)
        {
            CoreLogging.GeneralLogger.Error(String.Format(" Identity Provider Exception : {0}", ex.Message));
        }
        #endregion

        #region Service Provider
        try
        {
            var pp = AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "Resources";

            X509Certificate2 certificate1 = new X509Certificate2(pp + "\\serviceProvider.pfx", "password", X509KeyStorageFlags.MachineKeySet);
            options.SPOptions.ServiceCertificates.Add(certificate1);
        }
        catch(Exception ex)
        {
            CoreLogging.GeneralLogger.Error("Service Provider Exception : " + ex.Message);
        }

I am not sure if I have the right certificate in the right place. I would really appreciate any input. My thanks in advance. Sharad

Answer 1

I was able to get global single logout working with Azure AD. There were two things I needed to confirm :

1. Signing Certificate for identity provider and Service Certificate for the service provider.
2. Logout URL - Azure AD gives the logout URL as https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 which is incorrect. The logout URL must match the signOnURL provided by Azure.