[IdP] Bug/feature with SLO and SAML2 issuer tag

Forge Component
Published on 9 May (2 weeks ago) by Telmo Martins
33 votes
Published on 9 May (2 weeks ago) by Telmo Martins


We are using (custom) IdP with Azure AD, no problems there. Just letting you know that current Forge version for IdP fails to do Single Log-Out whenever Azure app is configured with an App ID without URI scheme. This App ID is something what you will find on Outsystems end configured to IdP's "SP Issuer (SP Entity ID)" field.

In the long run, I'm sure someone else will bump to this same issue and I'd like to see this change implemented to Forge component as well.

Current C# implementation at SAML_Utils extension / MssSAML_CreateLogoutRequest() throws an exception whenever input parameter ssIssuer does not have scheme in it.

example: "https://app.domain.com" works, but "app.domain.com" doesn't.

To overcome this situation:

  1. option is to change Azure AD App configuration and reflect these changes to IdP configuration.
  2. option is to change the extension. I did not have option 1 available, so I changed:

req.Issuer = new Uri(ssIssuer);


req.Issuer = new Uri(ssIssuer, UriKind.RelativeOrAbsolute); 

It's still not perfect, as SAML2 xsd spec allows the content for <Issuer> tag to be any string without any checks.

Helpful links:



Hi Mikko,

Thanks. Will have that in mind in the next version.