3 Replies Latest reply: Apr 10, 2012 1:45 AM by Ryan Fernandes RSS

Logout issue with ADFS 2.0 as the IDP

Ryan Fernandes Newbie

Picketlink 1.0.4 release

App Server JBoss 5.1

IDP : ADFS 2.0



  1. User accesses a protected page.
  2. System throws up a login box
  3. User enters valid credentials and is able to use the application
  4. User clicks logoff (?LLO=true or ?GLO=true)

The SP emits the following Logout request (via picketlink):


<ns3:LogoutRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" ID="ID_f574759d-a66e-4ee9-9677-b5dec28b5f9f" IssueInstant="2011-09-16T12:00:31.276+05:30">




Post which ADFS 2.0 promptly shows an error page with the following in the event log:


Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:


  1. Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.

   at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)

   at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)


Any idea why this doesn't work? Does the picketlink 1.0.4 release support logoff (with ADFS 2.0)?