Saml-SSO Single-Log-out(SLO) not working in case of myapps

Rohit Pawar 20 Reputation points
2023-09-05T14:16:06.1433333+00:00

Hello, I'm using Azure-AD for SAML Single Sign-On (SSO), and I've encountered an issue. I've configured the optional Logout URL inside the "Microsoft-AD-SAML-SSO which simply works as post-logout-URL and After logging in to Microsoft MyApps and signing out from there, I noticed that I was not redirected to the optional logout URL. Is there something I might have overlooked in the configuration that would allow the redirect or trigger the logout URL? I need this because I have some application-level cleanup tasks to perform.

Can I configure something to enable it?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,720 questions
{count} votes

Accepted answer
  1. Akshay-MSFT 17,786 Reputation points Microsoft Employee
    2023-10-03T13:42:12.6733333+00:00

    @Rohit Pawar

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: SLO is not redirecting to the optional logout URL configured in SAML SSO properties.

    Solution:

    You had same-site property set to Lax. When SameSite is set to Lax, the cookie is sent in requests within the same site and in GET requests from other sites. It isn't sent in GET requests that are cross-domain.

    To overcome the authentication failures, web apps authenticating with the Microsoft identity platform can set the SameSite property to None for cookies that are used in cross-domain scenarios when running on the Chrome browser. Other browsers (see here for a complete list) follow the previous behavior of SameSite and won't include the cookies if SameSite=None is set. In your case you opted using centralized entity for user when logout-request come we will find the user based on nameID in saml-request and mark it as Logged out.

    If you have any other questions or are still running into more issues, please let me know.

    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Rohit Pawar 20 Reputation points
    2023-09-12T06:35:21.3266667+00:00

    I have found solution for my question, Acutually internally logout get request called when logged out from Azure-myapps, problem is on my end my application used same-site property as Lax so on myapps get-logout request new session launch(because browser blocked cookie reason cross-site request) in our-application and because of that request can not able to perform logout logic on behalf of the logged user.

    I have prevented this problem by using centralized entity for user when logout-request come we will find the user based on nameID in saml-request and mark it as Logged out.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.