"There is a problem with this website's security certificate" error when a federated user signs out of Microsoft 365, Intune, or Azure

Problem

When a federated user signs out of a Microsoft cloud service such as Microsoft 365, Microsoft Intune, or Microsoft Azure, the user receives the following error message on login.microsoftonline.com:

There is a problem with this website's security certificate

Cause

This issue occurs when an HTTP URL is used for the logout URL, but the logout process uses HTTPS to access the URL. If the URL can't accept HTTPS connections, the user receives the error message.

For example, this issue occurs if the logout URL is https://idp.contoso.edu/idp/logout.htm and the logout process tries to access it by using https://idp.contoso.edu/idp/logout.htm.

Solution

To protect the confidentiality of personally identifiable information (PII) that's contained in the Security Assertions Markup Language (SAML) logout request, a secure (HTTPS) connection is required. Review your security token service (STS) documentation to determine what the logout URL should be.

To resolve this issue, try Method 1. If Method 1 doesn't resolve the issue, use Method 2.

Method 1: Make sure that the logout URL can accept HTTPS requests

Update the logout URL so that it can accept HTTPS requests. To do this, open the Azure Active Directory module for Windows PowerShell, and then run the following cmdlet:

Set-MsolDomainFederationSettings -DomainName user.contoso.com -LogOffUri <LogOffUri> -PreferredAuthenticationProtocol SAMLP 

Note In this command, <LogOffUri> represents your logout URL.

Note

Azure AD Powershell is planned for deprecation on March 30, 2024. To learn more, read the deprecation update.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). Microsoft Graph PowerShell allows access to all Microsoft Graph APIs and is available on PowerShell 7. For answers to common migration queries, see the Migration FAQ.

Method 2: Remove the HTTP URL that's specified in the LogOffUri parameter

Microsoft Entra ID will automatically display a message to notify the user to close the browser when the user logs off if a logout URL isn't specified.

To remove the HTTP URL that's specified in the LogOffUri parameter, open the Azure Active Directory module for Windows PowerShell, and then run the following cmdlet:

Set-MsolDomainFederationSettings -DomainName contoso.com -LogOffUri " " –PreferredAuthenticationProtocol SAMLP 

Important Make sure that there's a space between the quotation marks (" ") in the command line.

More Information

Still need help? Go to Microsoft Community or the Microsoft Entra Forums website.