Azure AD. IDP initiated single logout

Question

Hihi,

I need to get IDP initiated SLO working without errors. I have configured my logout endpoint in azure and the on the SP, using the SLO url provided by the IDP metadata.

When I send the saml logout response I get:

Request Id: 7af0ad15-1452-4da5-8eda-fe62607d0300
Correlation Id: d341f8d7-8352-4d86-b0a3-3777154de06b
Timestamp: 2019-07-04T10:44:05Z
Message: AADSTS7500513: The message type 'Microsoft.AzureAD.Protocols.Saml2.LogoutResponse' is not a supported type of SAML request. Supported SAML requests are AuthnRequest and LogoutRequest.

I'm sending the logout response to:
https://login.microsoftonline.com/{id}/saml2

Is this correct url for the response SLO response? I grabbed it from the azure metadata for my app.

Here is copy of the SAML logout request from microsoft and my SAML response:

<samlp:LogoutRequest ID="_3b603b51-6fe6-4e51-ad00-4fe36d6037c9"
                     Version="2.0"
                     IssueInstant="2019-07-04T10:44:04.786Z"
                     Destination="https://example.com/sp/logout.php"
                     NotOnOrAfter="2019-07-04T11:44:04.786Z"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/09fa5f0e-2118-4656-8529-677ed8fdbe78/</Issuer>
    <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">f0WO8-FtB9LJX_KZQxsJS4mWGvzhPfkJCHfMXglrBBU</NameID>
    <samlp:SessionIndex>_0e40640e-c37b-4d8f-8887-b16da25d0400</samlp:SessionIndex>
</samlp:LogoutRequest>






<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      ID="ONELOGIN_bff897c0ccaa51b32e92ea44b9061344bce9432b"
                      Version="2.0"
                      IssueInstant="2019-07-04T10:43:57Z"
                      Destination="https://login.microsoftonline.com/{{id}}/saml2"
                      InResponseTo="_3b603b51-6fe6-4e51-ad00-4fe36d6037c9"
>
    <saml:Issuer>https://example.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>

Answer 1

Hello,

It looks like you're trying to implement a single log out solution in your environment. The docs on this can be found in the links here : 

https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol

Per the diagram : 

You need to generate a logout request, and it looks like you're creating a logout response,

The logoutRequest structure is documented in the docs as well : 

https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol#logoutrequest

In addition to that, you can do a sign-out via the OIDC flow to log the user out as shown below. 

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#send-a-sign-out-request

And for a sample, please refer to the .net Single Sign Out sample here : https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-web-single-sign-out/

Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

Thanks!

Answer 2

I'm following up on this again, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

Thanks!

Answer 3

Thanks for your reply.

It needs to be SAML based SSO so I can't use the OIDC flow.

And it is an IDP initated logout, the documentation and your answer is assuming I'm doing a SP iniated logout (which I have also implemented and works fine).

IDP initiated = user is at office.com and chooses to logout, microsoft sends logout request to my server and I send the successfull logout response and that's where the problem starts as described in my original post.

Answer 4

Hello,

I see, I will go ahead and look into that for you to provide a definitive answer, but I don't believe that IDP single sign out is a supported feature, I'll try to update this thread as soon as possible once I have a response, 

Thanks! 

Answer 5

Hey, 

Unfortunately, there isn't a feature for IDP Single Sign Out.

I apologize for the inconvenience, 

Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

Thanks!