![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 37%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Yes, not using the optional logout URL will serve the purpose, since the optional logout URL is used to send users to a place/page once the logout is complete. The session creator (in this case, Azure AD) signals logout by performing a broadcast to all participating applications in the principal's context. If applications decide to do nothing about this broadcast by Azure AD (by not redirecting users elsewhere) they will stay on the same page where they were previously located. So your solution should work.
Otherwise, the solution depends on the application config, since we don’t own the application code or logic. The SAML handlers/libraries are used by RP-STS/RP Apps responsible to generate and respond to logout requests. The logic would need to be set up to ignore those requests.
All applications participating in the session (Principal/NameID) where the app is initiating a logout will receive a logout request back from Azure AD. This is a broadcast to all resource providers participating in that session with the relevant principal. If Azure AD receives a response back to this logout request (from any other applications participating in the session), Azure AD terminates the session with those resource providers.
So everything depends on whether the other applications in the session respond to the logout request sent by Azure AD. If the other applications in the session ignore this logout request, the user will not be logged out from those apps.
Section 3.7 of the SAML 2.0 core specification describes that there can be multiple participants (other applications) in a session besides your application. If one of the other participants sends a LogoutRequest to the Microsoft identity platform (the session authority), it will send a LogoutRequest back to all the session participants except the participant who sent the initial LogoutRequest. If another participant simultaneously initiated sign-out, there would be a race to see which LogoutRequest reaches Microsoft identity platform first. Therefore, an application should always be prepared to handle a LogoutRequest.
You would need to test for any abnormal behavior since there are benefits to the single logout approach.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.