Entra Id - OpenID Single Sign Out

Question

Entra Id - OpenID Single Sign Out

Malvaro 145

Hi MS Team, I am creating a React Frontend project with 3 internal applications. Each application has a specific App Registration and I am using the MSAL library for the Single Sign On (OpenID). By default, when I have logged in one application the rest of the apps I will have an automatic token and I am "simulating" a SSO behaviour. However, when I am logging out from one application the rest of them I am still having the session active. My question is: Do we have a way to destroy all sessions of all applications for the user simulating the Single Sign Out? or Do we need to implement something manually to have this result? Thank you in advance, Cheers, Moisés.

Accepted answer

0 additional answers

Your answer

Answer 1

Navya 20,180 Microsoft External Staff Moderator

Hi @Malvaro

Thank you for posting this in Microsoft Q&A.

I understand you want to know the way to destroy all sessions of all applications for the user simulating the Single Sign Out.

One way to implement SSO is to use OpenID Connect front-channel logout feature. This feature allows an application to notify other applications that the user has logged out. When the user logs out of one application, the application sends a logout request to all other applications that the user has logged into. The other applications then log the user out as well.

To implement front-channel logout, you need to register the logout endpoints for all your applications with Azure AD Application registration

Add code to your application that listens for logout requests from other applications and logs the user out when a request is received. Sign-out behavior on browsers

Below is the sample code for SPA application.

const config = {
  auth: {
    clientId: "your_app_id",
    redirectUri: "your_app_redirect_uri", //defaults to application start page
    postLogoutRedirectUri: "your_app_logout_redirect_uri",
  },
};
const myMsal = new PublicClientApplication(config);
// you can select which account application should sign out
const logoutRequest = {
  account: myMsal.getAccountByHomeId(homeAccountId),
};
myMsal.logoutRedirect(logoutRequest);

For your reference: https://curity.io/resources/learn/openid-connect-logout/

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Malvaro 145 Reputation points

2024-02-15T12:49:36.23+00:00

Hi and thanks for getting back to me. If my understanding is correct, I've been trying to add the 4 logout URLs, however I have place just for one. Am I missing something?

Thanks Cheers, Moisés

Ps: I found this ticket https://learn.microsoft.com/en-us/answers/questions/1190224/how-can-i-add-multiple-logout-urls-for-an-enterpri if I got it, I need to implement the log out system, right?
Navya 20,180 Reputation points Microsoft External Staff Moderator

2024-02-16T06:39:12.9+00:00

Yes, you are correct. The property in the configuration object is used to specify the URL that the user should be redirected to after they have signed out. This property can only hold one URL at a time. you need to add the logout URLs for all three applications in order to implement the Single Sign Out (SSO) feature.
Malvaro 145 Reputation points

2024-02-16T11:27:05.8433333+00:00
Hi again and thanks for your answering my question,

In order to close the ticket I'd like to show my insights about this topic:

Following the below diagram, having 3 different app registration:

The App 1 runs the log out process.

The App 1 front-channer-logout will redirect to the custom logout url

The backend will communicate the rest of the apps via pub/sub, using for example SignalR or Azure Web pub/sub

The other apps will redirect to the logout.

Am I right?,

Thanks a lot,

Cheers,

Moisés.
Navya 20,180 Reputation points Microsoft External Staff Moderator

2024-02-20T16:36:06.7333333+00:00

Yes, that's correct. When the user logs out of App 1, the front-channel logout feature will redirect the user to the custom logout URL. The backend will then communicate with the other apps via pub/sub, using SignalR or Azure Web pub/sub, for example. The other apps will then redirect to the logout URL.

This way, the user will be logged out of all the apps that are part of the SSO system. Hope this helps. Do let us know if you any further queries.

Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.

Share via

Entra Id - OpenID Single Sign Out

0 additional answers

Your answer