Does Azure AD/Microsoft Entra ID support IdP Initiated SLO?

Subhaye 35

I have configured my SP to receive the SAML logout request in the 'Logout Url' registered in Azure AD SAML Toolkit SSO Configuration. But I receive no requests from the IdP when User Account is Restricted(session revoke, user removal, etc.) Is there something I am missing for IdP Initiated SLO. Is it supported? If its not, any estimate on when IdP Initiated SLO feature might be added?

Marilee Turscak-MSFT 36,411 Reputation points Microsoft Employee

2023-10-10T23:05:45.54+00:00

@Subhaye

Azure AD/Microsoft Entra supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, the single sign out URL/LogoutURL for the application must be explicitly registered with Azure AD during application registration.

If Azure AD receives a response back to this logout request (from any other applications participating in the session), Azure AD terminates the session with those resource providers. So everything depends on whether the other applications in the session respond to the logout request sent by Azure AD. If the other applications in the session ignore this logout request, the user will not be logged out from those apps.

Once you have configured the single sign out URL in Azure AD, the application sends the SAML logout request to Azure AD (GET request only). Then Azure AD will logout the user and send the SAML Logout Response back to the application. You will find this Logout URL configuration in the Azure AD Enterprise Application > App > Single sign on page.

Note that the external IdP has to support SLO. AAD signs out the original user/app which sends the logout request and broadcasts a logout request to all service providers in the session. If the user is federated with an external IDP it has to handle the logout request and sign out the user. Per section 3.7 of the SAML 2.0 core specification, there can be multiple participants (other applications) in a session besides your application. If one of the other participants sends a LogoutRequest to the Microsoft identity platform (the session authority), it will send a LogoutRequest back to all the session participants except the participant who sent the initial LogoutRequest. If another participant simultaneously initiated sign-out, there would be a race to see which LogoutRequest reaches Microsoft identity platform first. Therefore, an application should always be prepared to handle a LogoutRequest. If the external IdP cannot handle the logout request you need to add a custom redirect in the app for IDP logout.

https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol

Let me know if this addresses your question.

(See related discussion.)

If the information helped you, please accept the answer. This will help us as well as others in the community who may be researching similar information. Otherwise let us know if you have further questions.
Subhaye 35 Reputation points

2023-10-10T23:20:12.6133333+00:00

What you've described here is SP initiated logout. I was asking about IdP Initiated SLO. Particularly when User Account is Restricted(session revoke, user removal, etc.)
Marilee Turscak-MSFT 36,411 Reputation points Microsoft Employee

2023-10-11T18:30:47.1733333+00:00

If you create a non-gallery SAML app for the service provider, it will support IdP-initiated flow. Which service provider are you using?
JamesTran-MSFT 36,541 Reputation points Microsoft Employee

2023-10-16T20:06:54.6033333+00:00

@Subhaye

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Subhaye 35 Reputation points

2023-10-17T00:04:49.17+00:00

I created enterprise application with Azure AD SAML Toolkit, so I believe my IdP is Azure AD/Microsoft Entra itself and the service provider is my own custom server.
So, will I be able to use IdP-initiated flow this way?
If not, can you expand more on non-gallery SAML app configuration thats required to support IdP-initiated flow.

It is Single Log Out initiated by IdP that we are talking about right?
Subhaye 35 Reputation points

2023-10-17T00:10:51.0566667+00:00

My issue is not resolved yet and I just inquired a followup to the answer I was provided. However, I was told that IdP Initiated SLO is not supported in the Support Case I created. So, its whats held me back from pursuing further details on this matter. But as I read comment by Marilee Turscak, its supported??
Marilee Turscak-MSFT 36,411 Reputation points Microsoft Employee

2023-10-17T00:18:54.1433333+00:00

I apologize, @Subhaye . I have reviewed conflicting information and have reached out to a product group engineer to confirm about this functionality. Let me get back to you.
ghazi 0 Reputation points

2023-10-30T17:54:18.2+00:00
I was implementing this today. I didn't use the demo app "Azure AD SAML Toolkit SSO", I created my own enterprise app. The IdP-initiated logout works fine. Still, here are few things that might be causing your issue:

under "Single Sign-on" > "Basic SAML Configuration", the logout url should be set

the user used for testing the saml integration should be assigned to the enterprise app (can be done from the left sidebar under "Users and groups")

make sure to first log in via SSO before logging out. I was logging and in and out from office.com multiple times and was wondering why I'm not receiving the logout request from MS Entra ID. It seems like MS Entra ID tracks SSO sessions and only sends a logout request to the sp when there is a previous SSO session from that sp (as opposed to checking all available SPs and sending them a logout request).

in case you're implementing this in python, check out python3-saml, it's been very helpful in implementing saml flows
Subhaye 35 Reputation points

2023-10-31T00:56:42.2566667+00:00

@ghazi I wonder if your test case was truly IdP-initiated. If you clicked logout in your app, it means the Service Provider(SP) sent the request to Identity Provider (IdP, MS Entra ID) hence it is SP-initiated. To truly test IdP-initiated logout, we need to either revoke the user sessions or remove the user from the enterprise app. If the logout request is then received in your Service Provider (which is in other cases referred to as Application Server), we can confirm that IdP-initiated logout works.

ghazi 0

I wasn't very explicit about it, but the way I tested IdP-initiated logout is by "logging out from office.com" not from my SP. That's why I'm saying it works. The logout request I received looks like this

<samlp:LogoutRequest
		ID="*******"        
		Version="2.0"
		IssueInstant="2023-10-30T13:11:47.479Z"
		Destination="https://*******.ngrok-free.app/*****"
		NotOnOrAfter="2023-10-30T14:11:47.479Z"
		xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
	<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
		https://sts.windows.net/**********/
	</Issuer>
	<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
		********************
	</NameID>
    <samlp:SessionIndex>**************</samlp:SessionIndex>
</samlp:LogoutRequest>

The NameID value is how I identified the user and terminated their session in my SP.

Subhaye 35 Reputation points

2023-10-31T09:17:55.0633333+00:00

I got that you didn't sign out from your app, but you signed out from another app. The Service Provider of that app initiated the log out and not the IdP(MS Entra ID). So, this is still SP-initiated logout. What you are describing is just Single Log Out (SP initiated type), which indeed is supported and works. However, IdP initiated SLO is yet not supported by MS Entra ID
ghazi 0 Reputation points

2023-10-31T15:15:07.37+00:00
I see what you mean now.

I was looking at it differently:

SP-initiated logout: is when my SP sends a LogoutRequest and receives a LogoutResponse

IdP-initiated login is when I receive a LogoutRequest and send a LogoutResponse

So, if another SP triggers the logout, then from the perspective of my web app, it's an IdP initiated logout since it received LogoutRequest and sent a LogoutResponse. Which now makes me unsure of the correct definition of IdP-initiated logout.

Anyway, I'll try removing the user from the enterprise app and see what happens
ghazi 0 Reputation points

2023-10-31T15:19:39.5533333+00:00

just tested, removing the user from the enterprise app does not trigger any request back to my SP.
Subhaye 35 Reputation points

2023-10-31T15:58:40.7433333+00:00

I see where you are getting confused. I am quoting what you said: "So, if another SP triggers the logout, then from the perspective of my web app, it's an IdP initiated logout since it received LogoutRequest and sent a LogoutResponse."
Actually, even from the perspective of your web app, the received LogoutRequest is not from IdP, the client side app(browser) makes the request to your web app as the result of the redirects for original logout request to the IdP.
Hence, understanding the underlying implementation clearly shows that its a SP-initiated logout and not IdP-initiated.
Subhaye 35 Reputation points

2023-10-31T16:03:43.4766667+00:00

So the easiest way to distinguish is, SP-initiated SLO begins from the client side while IdP-initiated SLO begins from the IdP side.
Subhaye 35 Reputation points

2023-11-01T03:00:34.2633333+00:00

@ghazi It just crossed my mind that you said you had used NameID value to identify the user and terminate their session in your SP. However, the user may have been signed in multiple devices and logging the user out of all those devices might not be the right approach. If the cors configuration and cookies have been set up properly, you will be able to receive them with the Logout Request since the requests originate from client side where the session cookies for your SP are set.
In a Logout request from IdP, there would have been IdP session identifier such as sessionIndex.
ghazi 0 Reputation points

2023-11-01T05:51:56.3166667+00:00

Interesting, I didn't think about it that way. I was thinking that SLO is all about logging a user out from everywhere (as in every device). But, after your comment, it sounds like SLO is still local to a device, right?
Subhaye 35 Reputation points

2023-11-01T06:19:53.52+00:00

Yes, SLO is basically logging out from every SPs which was logged in using the corresponding IdP session authorization or SSO instance. Although SLO concept is local to a client instance, you may choose to log out from all the devices if thats your requirement. But users might find it intrusive and bothersome that logging out of one device causes them to be logged out from all others too. Logout from all devices only makes sense if user chooses to revoke all sessions rather than just logout. Its all about making user experience smooth and easy.
ghazi 0 Reputation points

2023-11-01T07:54:29.62+00:00

I see, this discussion has been very informative to me. Thank you very much!!
Subhaye 35 Reputation points

2023-11-01T11:54:07.58+00:00

Thank you too for the engagement in this topic. Would you upvote the feature request for IdP initiated SLO? I registered it some time ago but seems to gain no interest.
https://feedback.azure.com/d365community/idea/c93d8560-126e-ee11-a81c-002248544521

Accepted answer

Marilee Turscak-MSFT 36,411 Reputation points Microsoft Employee

2023-10-18T22:12:01.75+00:00

Hi @Subhaye ,

I apologize for the confusion before. I had incorrect information.

You are correct that Entra (Azure AD) does not support IdP-initiated SLO. There is a work item to add this capability in the future. The endpoint that processes IDP messages only understands logout responses and not requests.

So yes, this is a limitation on our end. There is no current workaround available over the SAML protocol. There are other IDP-initiated signout endpoints available (such as the WS-Fed endpoint, and the generic logout.srf endpoint), but none of these are “SAML” endpoints, so it is unlikely that a third party IDP will support using them.

The background behind this is that back when ESTS started supporting the login.srf endpoint, the requirement was to only support scenarios that were in active use. There was no evidence we needed to support IDP-initiated signout as most SAML IDPs at the time didn’t actually support federated signout.

Since things have changed over the years, there is now an open work item to add this functionality, but no ETA yet for when it will be available. You can also add a feature request in feedback.azure , where the product team can reply directly. https://feedback.azure.com/

If the information addressed your question, please consider Accepting the answer. This will help us and improve discoverability for others in the community who may be researching the same question. Otherwise let me know if you have further questions.
Please sign in to rate this answer.
Subhaye 35 Reputation points

2023-10-18T23:35:22.73+00:00

@Marilee Turscak-MSFT Thank you for confirming this and the detailed answer. Looking forward to this functionality being added.

Bobby Nielsen 0 Reputation points

2024-05-13T09:29:41.3833333+00:00

Any progress on the work item? And is it publicly available, so we can follow along?
Sign in to comment

Share via

Does Azure AD/Microsoft Entra ID support IdP Initiated SLO?

0 additional answers