25,196 questions
SP initiated SAML SLO Logout URL configuration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 54%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
photon
6
Reputation points
I am seeing an issue with my SAML configuration with SLO. I have a SP initiated logout work flow for which I have configured "LogoutURL" as below
I have two questions:
Question 1 --> I understand from this document that azure sends Logout request to all SP in the session and after which the Logout response to logout URL. Does Azure send LogoutRequest to the SP initiating the logout? If not, I am not seeing the logout response.
My logout request looks as below.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" ID="_7c12b29b-f538-4956-a407-9db035f07733" IssueInstant="2022-12-31T04:56:34.507Z" NotOnOrAfter="2022-12-31T04:58:04.507Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
matching-entityId
</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
test@keyman .com
</saml2:NameID>
<saml2p:SessionIndex>
_dc156a51-cef2-4cf4-872b-600892254801
</saml2p:SessionIndex>
</saml2p:LogoutRequest>
Question 2 --> This is more of a SAML configuration question, does Azure send both LogoutRequest and LogoutResponse to configured LogoutURL depending on the IDP initiated or SP initiated workflow?
Since I am seeing LogoutRequest sent back from Azure after the initial LogoutRequest from SP. I am processing that to send back LogoutResponse, I never see terminating LogoutResponse from azure after. Is there some configuration or flow I am missing?
Thanks in advance
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2023-01-04T01:05:50.303+00:00 Hi @photon ,
The application sends the SAML logout request to Azure AD. Then Azure AD logs out the user and sends the SAML Logout Response back to the application.
The logout request also needs to be configured according to this guide:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol
Have you followed all of the configuration from the single sign-out SAML guide?
-
photon 6 Reputation points
2023-01-04T23:12:35.54+00:00 Thanks for the response @Marilee Turscak-MSFT
I have followed the guide you posted. The guide specifically says
If one of the other participants sends a LogoutRequest to the Microsoft identity platform (the session authority), it will send a LogoutRequest back to all the session participants except the participant who sent the initial LogoutRequest.
Issuer
Issuer in the SAML logout request matches the 'Application ID URI' as configured in the manage->Expose An API screen.SessionIndex matches the session ID I get back in SAML assertion during SSO
In my specific case, I am expecting a SAMLResponse on the configured LogoutUrl, instead of SAMLRequest from Azure as a response to the SAML Logout request.
Thanks!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 5%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sylwester K 0 Reputation points2024-01-08T17:04:47.3233333+00:00 I'm having a similar issue. I'm using MS Entra ID Enterprise Applications with SAML SSO and I can't get the SLO to work. My Identity Provider initiates a SLO with LogoutRequest and it's expecting a LogoutResponse on the Logout URL I've configured as part of the Enterprise App SSO. Instead of a LogoutResponse I see a LogoutRequest being sent by Entra ID.
I was testing different configuration options and always see the same result.
Sign in to comment
Sign in to answer