SP initiated logout fails in Identity Cloud or AM (All versions) with Identity Provider ID is null error
The purpose of this article is to provide assistance if a SP initiated logout fails in ForgeRock Identity Cloud or AM with an "Identity Provider ID is null" error. For example, your logout URL is similar to: https://sp.example.com:8443/am/saml2/jsp/spSingleLogoutInit.jsp?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
1 reader recommends this article
Symptoms
An error similar to the following is shown when the logout URL is called:
HTTP 400 type Status report message Identity Provider ID is null. description The request sent by the client was syntactically incorrect (Identity Provider ID is null.).Recent Changes
Configured SAML 2.0 Federation to initiate SLO from the service provider side.
Causes
The identity provider cannot be identified due to incorrect or missing idpEntityID.
Solution
This issue can be resolved by including idpEntityID in the logout URL (which is a required parameter for Fedlets). This parameter identifies the remote identity provider and is the value you specified when you registered the remote identity provider, which is typically the FQDN. This value should be URL encoded.
An example URL for a SP initiated logout using HTTP-Redirect binding is:
https://sp.example.com:8443/am/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=https%3A%2F%2Fidp.example.com%3A8443%2Fam&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-RedirectNote
The spSingleLogoutInit.jsp element of the URL is case-sensitive and the URL will fail if this is in the wrong case. For example, including spsinglelogoutinit.jsp in the URL will not work.
See Also
How do I configure IdP or SP initiated Single Logout in Identity Cloud or AM (All versions)?
Related Training
ForgeRock Access Management Deep Dive (AM-410)
Related Issue Tracker IDs
N/A