Supported use of /Shibboleth.sso/Logout?redirect-URL on SP

Michael Brogan mbrogan at
Mon Apr 27 19:24:11 EDT 2020

I have two test SPs:

One is Windows Server 2016 with IIS. It was an in-place upgrade from 3.0.x to
The second is Windows Server 2019 which had installed fresh (not an upgrade).

On the first SP I have been using a link like https://my-sp/Shibboleth.sso/Logout?return=https://my-idp/idp/profile/Logout to do a local logout and then redirect the browser to my IdP Logout endpoint. After upgrading this SP to this logout link continued to work as before.

On the second SP (fresh install) that same logout link does not work. I get a HTTP 500 in the browser and the Shib logs record the following:

Shibboleth.IISNative [4040] iis_shib: Blocked unacceptable redirect location.

Some additional testing seems to indicate I can redirect to other pages on the same SP, but redirects to pages on another webserver fail.

Is the redirect policy configurable or baked in the code? Would you expect different behavior between an upgraded SP and a fresh install?

Michael W. Brogan
Technical Lead, Identity and Access Management
UW-IT, University of Washington

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list