diff --git a/x-pack/plugins/security/server/lib/authentication/providers/basic.js b/x-pack/plugins/security/server/lib/authentication/providers/basic.js
index a44491ba0542bb..7526582dff3ef0 100644
--- a/x-pack/plugins/security/server/lib/authentication/providers/basic.js
+++ b/x-pack/plugins/security/server/lib/authentication/providers/basic.js
@@ -86,7 +86,7 @@ export class BasicAuthenticationProvider {
     // Query string may contain the path where logout has been called or
     // logout reason that login page may need to know.
     return DeauthenticationResult.redirectTo(
-      `${this._options.basePath}/login${request.url.search}`
+      `${this._options.basePath}/login${request.url.search || ''}`
     );
   }
 
diff --git a/x-pack/plugins/security/server/lib/authentication/providers/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/saml.js
index a2239d4a5ac493..93b41d231db889 100644
--- a/x-pack/plugins/security/server/lib/authentication/providers/saml.js
+++ b/x-pack/plugins/security/server/lib/authentication/providers/saml.js
@@ -403,7 +403,7 @@ export class SAMLAuthenticationProvider {
       logoutArgs = [
         'shield.samlInvalidate',
         // Elasticsearch expects `queryString` without leading `?`, so we should strip it with `slice`.
-        { body: { queryString: request.url.search.slice(1), acs: this._getACS() } }
+        { body: { queryString: request.url.search ? request.url.search.slice(1) : '', acs: this._getACS() } }
       ];
     } else {
       this._options.log(['debug', 'security', 'saml'], 'Logout has been initiated by the user.');