Error with SAML logout when using ADFS #5570

Open
opened 2026-02-05 10:10:38 +03:00 by OVERLORD · 2 comments
Owner

Originally created by @awittendorff on GitHub (Jan 16, 2026).

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

Configured Bookstack to use SAML for authentication and using ADFS as IDP.
Login works, but logout fails with An Error occured on the /saml2/sls endpoint.
APP_Debug in .env, gives the following error: OneLogin\Saml2\Error
Invalid SLS Response: logout_not_success
And Internal Error 500 response.

On ADFS server I seen this:
Error 368
The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: https://guide01-test.domain.net/saml2/metadata
Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId:
Logged-in session participants:
Count: 1, [Issuer: https://guide01-test.domain.net/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: )]

This request failed.

User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.

Searched previous issues but haven't something the resolves this specific issue, but multiple point to signature validation errors, which is not the case here.

Exact BookStack Version

24.10.2

Log Content


Hosting Environment

Running on virtual server with Ubuntu 24.04

Originally created by @awittendorff on GitHub (Jan 16, 2026). ### Attempted Debugging - [x] I have read the debugging page ### Searched GitHub Issues - [x] I have searched GitHub for the issue. ### Describe the Scenario Configured Bookstack to use SAML for authentication and using ADFS as IDP. Login works, but logout fails with An Error occured on the /saml2/sls endpoint. APP_Debug in .env, gives the following error: OneLogin\Saml2\Error Invalid SLS Response: logout_not_success And Internal Error 500 response. On ADFS server I seen this: Error 368 The SAML Single Logout request does not correspond to the logged-in session participant. Requestor: https://guide01-test.domain.net/saml2/metadata Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: Logged-in session participants: Count: 1, [Issuer: https://guide01-test.domain.net/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: )] This request failed. User Action Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in. Searched previous issues but haven't something the resolves this specific issue, but multiple point to signature validation errors, which is not the case here. ### Exact BookStack Version 24.10.2 ### Log Content ```text ``` ### Hosting Environment Running on virtual server with Ubuntu 24.04
OVERLORD added the 🐕 Support label 2026-02-05 10:10:38 +03:00
Author
Owner

@ssddanbrown commented on GitHub (Jan 22, 2026):

Hi @awittendorff,
I'm assuming that you've removed personal details from the provided ADFS server error?

If so, in the original version of the following:

Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId:
Logged-in session participants:
Count: 1, [Issuer: https://guide01-test.domain.net/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: )]

Can you describe how/if the user details in the first line differ to that in the last line?

Or was the ADFS error logged with blank details as provided above?

@ssddanbrown commented on GitHub (Jan 22, 2026): Hi @awittendorff, I'm assuming that you've removed personal details from the provided ADFS server error? If so, in the original version of the following: ``` Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: Logged-in session participants: Count: 1, [Issuer: https://guide01-test.domain.net/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: )] ``` Can you describe how/if the user details in the first line differ to that in the last line? Or was the ADFS error logged with blank details as provided above?
Author
Owner

@awittendorff commented on GitHub (Jan 23, 2026):

Hi @awittendorff, I'm assuming that you've removed personal details from the provided ADFS server error?

If so, in the original version of the following:

Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId:
Logged-in session participants:
Count: 1, [Issuer: https://guide01-test.domain.net/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: )]

Can you describe how/if the user details in the first line differ to that in the last line?

Or was the ADFS error logged with blank details as provided above?

The only thing changed from the original error on ADFS server is the FQDN in Requestor:/Issuer:
So error logged with blank details

@awittendorff commented on GitHub (Jan 23, 2026): > Hi [@awittendorff](https://github.com/awittendorff), I'm assuming that you've removed personal details from the provided ADFS server error? > > If so, in the original version of the following: > > ``` > Request name identifier: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: > Logged-in session participants: > Count: 1, [Issuer: https://guide01-test.domain.net/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier: , SPProvidedId: )] > ``` > > Can you describe how/if the user details in the first line differ to that in the last line? > > Or was the ADFS error logged with blank details as provided above? The only thing changed from the original error on ADFS server is the FQDN in Requestor:/Issuer: So error logged with blank details
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#5570