question

HansHedman-1604 avatar image
2 Votes"
HansHedman-1604 asked HideAbe-1970 commented

Google Cloud / G Suite SSO Logout fails with error AADSTS750054

We have configured SSO in Google using Azure AD as IdP.
It is set up by adding the Google Cloud / G Suite Connector by Microsoft enterprise application to Azure AD.
Login is working fine but when logging out from Google it gives this error message:

Sorry, but we’re having trouble signing you in.
AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.

The URL is the same as in Login URL and Logout URL step 4 of the SAML configuration of the app. According to the tutorial on MS Docs it is correct that the URL is the same for Login and Logout.


There isn't much configuration to be done on the Google side so I'm focusing on the configuration in Azure.

On the Basic SAML Configuration page, I have tried all sorts of different combinations in the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) fields. Right now I have google.com/a/edu.ourdomain.se as the only Identifier and https://www.google.com/a/edu.ourdomain.se/acs as the only Reply URL. But I have also had several entries like https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial suggests.

As Sign on URL I have https://www.google.com/a/edu.ourdomain.se/ServiceLogin?continue=https://console.cloud.google.com
Relay State and Logout Url are empty.

On the SAML Signing Certificate page the Signing Option is Sign SAML assertion

Apart from that there isn't any configuration options that I can see would affect this.



azure-ad-saml-sso
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

To chime in - same error...which lead me to this post. Unfortunately cannot offer a solution but wanted to add to the issue's validity and that it is not isolated to one or two people.

1 Vote 1 ·
KyleHardin-7394 avatar image KyleHardin-7394 TheodoreDimitrov-8550 ·

Thanks Theodore, I appreciate it. Had you just recently set up Google/Azure SSO or was it already in place when you started getting this error?

I'm trying to get a sense for whether this is a mistake in the setup guide I'm following or if it's something that's changed on the infrastructure side.

0 Votes 0 ·

Hi Kyle - greenfield - fresh setup - did this on Friday 4/30/21 following the latest doc I could find.

0 Votes 0 ·
Show more comments
KyleHardin-7394 avatar image KyleHardin-7394 MarileeTurscak-MSFT ·

I don't know about Hans, but we're using https://login.microsoftonline.com/<GUID>/saml2 copied from the connector app as specified in step 8 of Configure Azure AD SSO https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

Both the login and logout URLs are the same. Login works fine, but we receive the AADSTS750054 error upon logging out, as Hans is experiencing.

1 Vote 1 ·

I am experiencing the same thing, just configured this last week. I am also using the same logout URL that Kyle mentioned as specified in the document.

1 Vote 1 ·
LHolt-8211 avatar image
3 Votes"
LHolt-8211 answered HideAbe-1970 commented

I think I may have found a solution.

The Sign in and Out URL, MS created to use in your Google SSO setting, is the same url.

Login URL https://login.microsoftonline.com/#####NUMBERS####/saml2
Azure AD identifier https://sts.windows.net/#####NUMBER#####/
Logout URL https://login.microsoftonline.com/#####NUMBERS####/saml2


Replace the signout URL in the Google Console with https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0


This worked for me, might be a bug / issue??

*edited to highlight its in Google not Azure you need to make the change.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This worked like a charm and fixed the issue 100 percent, thank you so much!

Edit: I submitted a change request in Github to update the doc with your fix.
https://github.com/MicrosoftDocs/azure-docs/issues/75124

2 Votes 2 ·

Awesome, thank you. I'll give this a chance the next opportunity I have to tinker with the setup.

0 Votes 0 ·

Great! It worked fine, thank you.
I noticed the post logout behavior is different upon browsers. Chrome and Edge are tolerant to login again without password, Firefox requires password at login every time. However, it's not a big deal for me.

0 Votes 0 ·
KyleHardin-7394 avatar image
0 Votes"
KyleHardin-7394 answered

I've got the same thing happening. Nothing show stopping because it only appears at logout (which occurs successfully), but will potentially generate support calls.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SmithEvan-2024 avatar image
0 Votes"
SmithEvan-2024 answered KyleHardin-7394 commented

I also have the same issue using Gsuite MS Azure app . has anyone found an answer for this?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, sorry. Was your SSO setup a recent configuration, or had it been in place for a while?

0 Votes 0 ·