SP initiated SAML SLO Logout URL configuration

photon 6 Reputation points
2022-12-31T05:25:00.15+00:00

I am seeing an issue with my SAML configuration with SLO. I have a SP initiated logout work flow for which I have configured "LogoutURL" as below
275174-image.png

I have two questions:

Question 1 --> I understand from this document that azure sends Logout request to all SP in the session and after which the Logout response to logout URL. Does Azure send LogoutRequest to the SP initiating the logout? If not, I am not seeing the logout response.

My logout request looks as below.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" ID="_7c12b29b-f538-4956-a407-9db035f07733" IssueInstant="2022-12-31T04:56:34.507Z" NotOnOrAfter="2022-12-31T04:58:04.507Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
matching-entityId
</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
test@keyman .com
</saml2:NameID>
<saml2p:SessionIndex>
_dc156a51-cef2-4cf4-872b-600892254801
</saml2p:SessionIndex>
</saml2p:LogoutRequest>

Question 2 --> This is more of a SAML configuration question, does Azure send both LogoutRequest and LogoutResponse to configured LogoutURL depending on the IDP initiated or SP initiated workflow?

Since I am seeing LogoutRequest sent back from Azure after the initial LogoutRequest from SP. I am processing that to send back LogoutResponse, I never see terminating LogoutResponse from azure after. Is there some configuration or flow I am missing?

Thanks in advance

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.