"There is a problem with this website's security certificate" error when a federated user signs out of Microsoft 365, Intune, or Azure
Problem
When a federated user signs out of a Microsoft cloud service such as Microsoft 365, Microsoft Intune, or Microsoft Azure, the user receives the following error message on login.microsoftonline.com:
There is a problem with this website's security certificate
Cause
This issue occurs when an HTTP URL is used for the logout URL, but the logout process uses HTTPS to access the URL. If the URL can't accept HTTPS connections, the user receives the error message.
For example, this issue occurs if the logout URL is https://idp.contoso.edu/idp/logout.htm
and the logout process tries to access it by using https://idp.contoso.edu/idp/logout.htm
.
Solution
To protect the confidentiality of personally identifiable information (PII) that's contained in the Security Assertions Markup Language (SAML) logout request, a secure (HTTPS) connection is required. Review your security token service (STS) documentation to determine what the logout URL should be.
To resolve this issue, try Method 1. If Method 1 doesn't resolve the issue, use Method 2.
Method 1: Make sure that the logout URL can accept HTTPS requests
Update the logout URL so that it can accept HTTPS requests. To do this, open the Azure Active Directory module for Windows PowerShell, and then run the following cmdlet:
Set-MsolDomainFederationSettings -DomainName user.contoso.com -LogOffUri <LogOffUri> -PreferredAuthenticationProtocol SAMLP
Note In this command, <LogOffUri> represents your logout URL.
Note
Azure AD Powershell is planned for deprecation on March 30, 2024. To learn more, read the deprecation update.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). Microsoft Graph PowerShell allows access to all Microsoft Graph APIs and is available on PowerShell 7. For answers to common migration queries, see the Migration FAQ.
Method 2: Remove the HTTP URL that's specified in the LogOffUri parameter
Microsoft Entra ID will automatically display a message to notify the user to close the browser when the user logs off if a logout URL isn't specified.
To remove the HTTP URL that's specified in the LogOffUri parameter, open the Azure Active Directory module for Windows PowerShell, and then run the following cmdlet:
Set-MsolDomainFederationSettings -DomainName contoso.com -LogOffUri " " –PreferredAuthenticationProtocol SAMLP
Important Make sure that there's a space between the quotation marks (" ") in the command line.
More Information
Still need help? Go to Microsoft Community or the Microsoft Entra Forums website.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for