Share via

Identity Provider using SAML Logout Response for a federated domain

Ashish Rai 0 Reputation points
2024-08-05T15:27:01.9733333+00:00

I have setup my SSO using SAML protocol for a custom domain users on my azure portal using domain federation settings using the API https://learn.microsoft.com/en-us/graph/api/domain-post-federationconfiguration?view=graph-rest-1.0&tabs=http. Having provided the required url's and federation settings the SSO works completely fine but when user manually signs out form their microsoft service the identity provider is not getting a callback on the "signOutUri" parameter. Am i missing something here? Thanks in advance for the help.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
709 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,266 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,927 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,199 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 10,325 Reputation points Microsoft Vendor
    2024-08-06T12:08:29.2933333+00:00

    Hi @Ashish Rai

    Thank you for reaching us!

    I understand that when user manually signs out form their Microsoft service the identity provider is not getting a callback on the "signOutUri" parameter.

    Please check that the logout endpoints are configured correctly and check your application is correctly sending SAML logout requests. The SAML protocol supports both single logout (SLO) and single sign-on (SSO). Ensure that the logout request is being sent to the IdP and that the IdP is configured to handle it properly.
    The logout request also needs to be configured according to this guide:
    Single Sign-Out SAML Protocol

    If the issue is unable find collect a fiddler trace and check for the actual SAML logout request being sent from the application to AAD. As the user hits on the sign-out button a saml_logout request gets generated by the app service and sends that saml_logout request to AAD. Azure AD then signs out the user after verifying the signature of the saml_logout request and then broadcasts logout requests to all the service-providers in that session. After that AAD sends a SAML_logout response to the App-service that initiated the signout saml request.

    Reference: https://learn.microsoft.com/en-us/answers/questions/148300/azure-ad-saml-2-no-redirection-to-the-sp-after-log
    https://learn.microsoft.com/en-us/answers/questions/1107511/azure-saml-logout-behavior

    Please let me know if you have any questions and I can help you further.
    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.