Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
Azure AD is not logging out Identity provider of SAML configured Enterprise application.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 64%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Nilotpal Mahadani
0
Reputation points
I have configured an Identity Provider and SAML based Single Sign on with an Enterprise application. I have also configured a Sign out URL there.
When azure AD gets logged out, it is not triggering logout call to the identity provider.
Is there a way to ensure that logout gets called? Or is there any specific config that needs to be done for enabling global logout?
My settings:
I have created an Enterprise application(SAML based Single Sign on) option under Azure Active Directory:
The green highlighted Logout URL setting is assigned a Logout URL that my 3rd party Identity Provider(a.k.a A service Provider/SP in this context) has. This logout URL is available in the generated SAML metadata by the 3rd party Identity provider/SP as SingleLogoutService.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee2023-01-25T02:07:48.82+00:00 Hi @Nilotpal Mahadani Which logout URL are you using and what do you have configured in the app registration and in the app itself?
-
Nilotpal Mahadani 0 Reputation points
2023-01-27T12:21:41.4366667+00:00 Hello, I have updated the question with additional details. I needed to use SSO where Azure AD would be an IdP and my 3rd party identity provider as SP. That is why I used Enterprise applications option.
-
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
2023-02-01T23:23:19.0766667+00:00 It sounds like the session is not being removed. Is the SAML logout request being sent to the other IdP?
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="12345" Version="2.0" IssueInstant="2021-01-22T00:00:00Z" Destination="https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/policy-name/Samlp/logout"> <saml:Issuer>http://your-app.com/app1</saml:Issuer> </samlp:LogoutRequest>
Sign in to comment