The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Single logout with Azure AD (SAML) RRS feed

  • Question

  • Hello.

    I'm trying to sort out all info from Azure documentation to understand the proper way of configuring SAML-based SLO.

    I have configured application, with single sign-on. Application was added via Azure Active Directory -> Enterprise Applications -> Non-gallery application. 

    Here I can download metadata and also see IDP Logout Url https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    Then I went to Application registration and added logout url. (BTW, why this action can't be done while adding app in Enterprise Application section? And what is the difference between Application Registration and Enterprise Applications, if app was added in one of them, after this I can see it in other)

    However according to documentation Single Logout should be implemented this way https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol 

    So, which approach is right:

    1) Use steps from this link and send LogoutRequest to url from metadata: 

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/{id}/saml2" />

    or 

    2) GET https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    Also there is a note in documentation that application LogoutUrl and signing key should be fetched by IDP from app's metadata, however I can't find where app's metadata can be uploaded to Azure.


    Tuesday, December 11, 2018 10:23 AM

All replies

  • For your first question about the difference between Application Registration and Enterprise Application, the Enterprise Application is an instance of the application, whereas the registration is the step to integrate your application with Azure AD.

    Enterprise apps are apps that are deployed and used within your organization and you can manage single sign-on settings for them by azure portal. If  you want to add your own app and integrate it with Azure AD, you need to register the app in App registrations. Also, if you grant permissions to your App, it will occur in Enterprise applications. If your app is added from gallery, you cannot configure the Reply URL. You can only configure your own app in Application registrations.

    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

    For Single Sign-Out I would refer to the steps taken in this guide https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol

    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

    First you need to configure the logout URL for the application and you can do that using the App Registrations section. In the Properties of the app we have an option for it.

    Once this is configured, when the user logs out from the access panel https://myapps.microsoft.com, Azure AD will broadcast the logout message to your endpoint for single sign-out.


    Tuesday, December 11, 2018 11:26 PM
    Moderator
  • Just checking to see if you found the above reply helpful. If so, please remember to "Mark as Answer" so that other users facing similar problems can more quickly find a solution.
    Wednesday, December 26, 2018 8:31 PM
    Moderator
  • Hi Marilee.

    Could you throw some light on how to generate a SAML logout request as specified in " https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol" from our application.

    Thanks in advance

    Tuesday, December 3, 2019 7:37 AM