Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,383 questions
SAML logout request signature verification fails
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 21%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VitaliS
0
Reputation points
Hi Team,
We develop SAML 2.0 SSO application and we experience an issue with logout request from comming from https://login.microsoftonline.com/
In short - signature verification fails.
Please point me to the reason of failure
Below is a full history with live sample logout request...
Logout request we receive**:**
SAMLRequest=jZJBa9wwEIX%2fitFdtmxL8lp4TReWgiFNIAk99BK01nhrsCVXI5P9%2bVG8LekWWnoTwzy9781Mg3qeFnXnzm4Nj%2fBjBQxJd9yTl7wfam4gp5IPOeW8rulO7Eq6q06yklr2FZQk%2bQoeR2f3pEgZSTrEFTqLQdsQS6wQlHFaiGcmFK%2bUqFJZlt9Icowuo9VhU34PYUGVZVF1BqqXBYPzkII5g4XLiunosnfKCEiSexce7IM%2fDAH8rYO8cbjMk0W1hduT1VvlNI6orJ4BVejV0%2bHLnYrMavEuuN5NpG02en%2bV%2flukEcG%2f05P2gx7T19Ea94qphZANHICbWlJT9ZxyHV8nCSWFQmpmKpkbprMmu3q2zX306I7JZ%2bdnHUf3N%2fM8zbfKaOiwtSqY9TgdjPGA%2bDP2f7PjrKdPv8%2b5ya4cbXM9i6f4aezsrIFL%2b9LHAKKO4wYuBOVFvAgtSka5qHl%2fyquyZqzZVvWH8lfx5sraNw%3d%3d&Signature=MQ07yezl943nmhHi4IIw30vhXj0jjo3XckRLSRRNVjs8QIA1rU%2fZPMYm7bB9yvlzcTIEtrpT%2bOoODQNrNZn7sRJZa7Akk%2fOy2SjrENbgYCBC1VnD8iFyxmVhbrSTYZIzkR6Bb%2fc5GlEHXLOWBaORuKtXByIOtVm3LdtM2hftPqzJa6AD44r2EjbG3J%2b2bPOfP%2f7i2wL4iYLx0wqrtqEnBADV5%2bawHuhZQkXYsQ8DnzSOSgCuEReSoYRZIg8DFbB6kKMVX8cx7eGgWyE%2fyX23zPhFa5FlHnIemyCiMMGtLpaAfQE1Dzki5%2bE29YLIZ8ROlU37%2b1EtKVYfFtGv1SV7Og%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
Azure certificate - successfuly used in the Login Response verification:
[root@edgenexus ~]# cat Azure.crt
subject=CN = Microsoft Azure Federated SSO Certificate
issuer=CN = Microsoft Azure Federated SSO Certificate
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQGB9ocyPWQrdNsFEMayBqIzANBgkqhkiG9w0BAQsFADA0
MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZp
Y2F0ZTAeFw0yNDExMjIxMzEyNTVaFw0yNzExMjIxMzEyNTNaMDQxMjAwBgNVBAMT
KU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4iF0YcsKf2Hr/aaTfCBsXzBWfDW
wvgUeFYXYR/PJaiVpq63L5RWpDSsRFabsjqC2LiTp4mjlq13gQpnCig5I9MIbtTQ
bKUWZr3Giv/JPBorm1ptfSKcUWDNin0tWmiYQ1HdqicbhWapzE+8o+rZQTJR3JOG
2zDeBgJIjnV087GRQwHOB9FTotZZrG74BXuGFsRRj44DS4Bq6bglLrxMv0ckLsto
J6LJFexrESuPEQAkXtm/lbmgDHbvZcpAAER45JgKbOm9Od572FQ3ci5skPWwfpeC
uNBakk2fK5BN+nXOUr1M2O04Z1ekr3uVhddc1NislUrgNJJ+HDBNPbzIcQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQANsp7PtaFy5jKQXMBRM9xDR4lz40bD/UpoeWgt
pSf/WgWjclHn/DN90iI3/QoaUy921Ujw0FfObAoGzTjrgQekc2XmNtyITTznAOsP
G7j+1gIUrqwov8Rt7yYpqE59ABosqrAMWAu5FCJ0o+tZ7mVSB/xSBME0EO7P78Qm
UQ+CcZ0g4SMJmdReEcUFkg9zSsD+0GGtUMVKr1L69ja9/e95Y1pnqKNGkofLoyxA
VFCP/Ulsjpz+T3H377vNW/+98EMmmWvn3LlzL6n62GwaGE5CfPcTQ4oioyFgyfFT
d2kx9ovnhWhrmhRB3AMS5f8sdcZ6Um9pFwpFbDN3hsX/zoCk
-----END CERTIFICATE-----
Azure public key, extract from certificate:
[root@jetnexus ~]# openssl x509 -pubkey -noout -in Azure.crt > Azure.pub; cat Azure.pub
[root@jetnexus ~]# cat Azure.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4iF0YcsKf2Hr/aaTfCB
sXzBWfDWwvgUeFYXYR/PJaiVpq63L5RWpDSsRFabsjqC2LiTp4mjlq13gQpnCig5
I9MIbtTQbKUWZr3Giv/JPBorm1ptfSKcUWDNin0tWmiYQ1HdqicbhWapzE+8o+rZ
QTJR3JOG2zDeBgJIjnV087GRQwHOB9FTotZZrG74BXuGFsRRj44DS4Bq6bglLrxM
v0ckLstoJ6LJFexrESuPEQAkXtm/lbmgDHbvZcpAAER45JgKbOm9Od572FQ3ci5s
kPWwfpeCuNBakk2fK5BN+nXOUr1M2O04Z1ekr3uVhddc1NislUrgNJJ+HDBNPbzI
cQIDAQAB
-----END PUBLIC KEY-----
SAML 2.0 specifications regarding logout signature:
https://groups.oasis-open.org/higherlogic/ws/public/download/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf/latest
3.4.4.1 DEFLATE Encoding
1. The signature algorithm identifier MUST be included as an additional query string parameter,
named SigAlg. The value of this parameter MUST be a URI that identifies the algorithm used to
sign the URL-encoded SAML protocol message, specified according to [XMLSig] or whatever
specification governs the algorithm.
2. To construct the signature, a string consisting of the concatenation of the RelayState (if present),
SigAlg, and SAMLRequest (or SAMLResponse) query string parameters (each one URL-
encoded) is constructed in one of the following ways (ordered as below):
SAMLRequest=value&RelayState=value&SigAlg=value
SAMLResponse=value&RelayState=value&SigAlg=value
3. The resulting string of bytes is the octet string to be fed into the signature algorithm. Any other
content in the original query string is not included and not signed.
4. The signature value MUST be encoded using the base64 encoding (see RFC 2045 [RFC2045]) with
any whitespace removed, and included as a query string parameter named Signature. Note that
some characters in the base64-encoded signature value may themselves require URL-encoding before being added.
String for signature according to specification (without optional RelayState):
echo 'SAMLRequest=jZJBa9wwEIX%2fitFdtmxL8lp4TReWgiFNIAk99BK01nhrsCVXI5P9%2bVG8LekWWnoTwzy9781Mg3qeFnXnzm4Nj%2fBjBQxJd9yTl7wfam4gp5IPOeW8rulO7Eq6q06yklr2FZQk%2bQoeR2f3pEgZSTrEFTqLQdsQS6wQlHFaiGcmFK%2bUqFJZlt9Icowuo9VhU34PYUGVZVF1BqqXBYPzkII5g4XLiunosnfKCEiSexce7IM%2fDAH8rYO8cbjMk0W1hduT1VvlNI6orJ4BVejV0%2bHLnYrMavEuuN5NpG02en%2bV%2flukEcG%2f05P2gx7T19Ea94qphZANHICbWlJT9ZxyHV8nCSWFQmpmKpkbprMmu3q2zX306I7JZ%2bdnHUf3N%2fM8zbfKaOiwtSqY9TgdjPGA%2bDP2f7PjrKdPv8%2b5ya4cbXM9i6f4aezsrIFL%2b9LHAKKO4wYuBOVFvAgtSka5qHl%2fyquyZqzZVvWH8lfx5sraNw%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256' > request
Signature decoding:
echo 'MQ07yezl943nmhHi4IIw30vhXj0jjo3XckRLSRRNVjs8QIA1rU%2fZPMYm7bB9yvlzcTIEtrpT%2bOoODQNrNZn7sRJZa7Akk%2fOy2SjrENbgYCBC1VnD8iFyxmVhbrSTYZIzkR6Bb%2fc5GlEHXLOWBaORuKtXByIOtVm3LdtM2hftPqzJa6AD44r2EjbG3J%2b2bPOfP%2f7i2wL4iYLx0wqrtqEnBADV5%2bawHuhZQkXYsQ8DnzSOSgCuEReSoYRZIg8DFbB6kKMVX8cx7eGgWyE%2fyX23zPhFa5FlHnIemyCiMMGtLpaAfQE1Dzki5%2bE29YLIZ8ROlU37%2b1EtKVYfFtGv1SV7Og%3d%3d' | php -r 'echo urldecode(file_get_contents("php://stdin"));' | base64 -d > signature
Signature verification:
[root@jetnexus ~]# openssl dgst -sha256 -verify Azure.pub -signature ./signature ./request
Verification Failure
Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Kancharla Saiteja 3,565 Reputation points Microsoft External Staff2025-05-02T22:28:48.36+00:00 Hi @VitaliS,
Based on your query, here is my understanding: You have found your application has signature verification failure issue while sign out.
Could you please help me out with below details:
- Is your application being IDP initiated sign-in, or SP initiated
- Have you configured single logout URL for your application
- Could you please help me out with how you have decoded your logout response.
Also kindly share the response details in private messages. I would like to check your response and decode it accordingly to answer your query accordingly.
Sign in to comment
Sign in to answer