Azure AD single logout configuration

Question

I am using azure ad saml 2.

I want my application need to logout when the azure ad logged out. I am trying to find out a way to configuration however, not able to find one. please suggest me some good document 

Logout need to be done from IDP to SP.

Answer 1

You may refer to documentation on Single Sign-Out SAML Protocol & How Azure Active Directory uses the SAML protocol, see if this helps.
----------------------------------------------------------------------------------------------------------------
Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

Answer 2

I am looking for Idp initiated SAML Logout. Does Azure AD support it yet ?

Answer 3

When you use single sign on (SSO), then application has its own session for the user and there is an active session with Azure AD. When the user want to do the logout from the application and with Azure AD then in that case application should send the Logout Request to Azure AD after ending the application session. This way Azure AD can logout the user from the active Azure AD session.

If the application is using SAML protocol then the application should send the SAML Logout request to Azure AD. If the application is not using SAML then you can use the common logout endpoint - https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 

-----------------------------------------------------------------------------------------------------------------------------------
Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

Answer 4

Hi,

I am using SAML protocol for the application. I have tried with different Logout URLs in IdP configuration and I have registered the App Logout URL in Azure to https://<domain name>/IdP/SLO.aspx but still cannot see Logout Request in SAML message logs. Can you help me with SAML Logout URL? What should be the SAML logout endpoint?

Thanks,

Answer 5

Azure AD does support SAML Logout with IDP initiated logout. First you need to configure the logout URL for the application and that you can do it using App Registration option in Azure AD. In the Properties of the app we have an option for it.

Once this is correctly configured then when the user logout from Access Panel https://myapps.microsoft.com then Azure AD will broadcast the Logout message to your endpoint for SLO.

Please try this and let us know how this goes.

Thanks,

Jeevan Desarda

---

Azure AD Program Manager - App Integration

Answer 6

Azure AD does support SAML Logout with IDP initiated logout. First you need to configure the logout URL for the application and that you can do it using App Registration option in Azure AD. In the Properties of the app we have an option for it.

Once this is correctly configured then when the user logout from Access Panel https://myapps.microsoft.com then Azure AD will broadcast the Logout message to your endpoint for SLO.

Jeevan, I am testing IdP initiated SLO with an SP that I'm developing with Azure as the IdP. I can't get the Access Panel "Sign out" button to initiate a SLO request with my SP.

Interestingly, I have implemented SP initiated SLO in my app and that works fine: I make the SLO request to Azure and it follows up with a request to my SP's SLO endpoint that is configured from the App Registration option. 

However, if I click the "Sign out" button from the Access Panel, it redirects to a page saying it is to signing out of all applications, but my SP SLO endpoint is never hit.

Are you sure the Access Panel supports IdP initiated SLO? If so, is there some logging in Azure AD that I can look at to troubleshoot my problem?

Thanks!

Mark Porter