Does Azure AD/Microsoft Entra ID support IdP Initiated SLO?

Subhaye 35 Reputation points
2023-10-10T07:42:43.5166667+00:00

I have configured my SP to receive the SAML logout request in the 'Logout Url' registered in Azure AD SAML Toolkit SSO Configuration. But I receive no requests from the IdP when User Account is Restricted(session revoke, user removal, etc.) Is there something I am missing for IdP Initiated SLO. Is it supported? If its not, any estimate on when IdP Initiated SLO feature might be added?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,768 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2023-10-18T22:12:01.75+00:00

    Hi @Subhaye ,

    I apologize for the confusion before. I had incorrect information.

    You are correct that Entra (Azure AD) does not support IdP-initiated SLO. There is a work item to add this capability in the future. The endpoint that processes IDP messages only understands logout responses and not requests.

     

    So yes, this is a limitation on our end. There is no current workaround available over the SAML protocol. There are other IDP-initiated signout endpoints available (such as the WS-Fed endpoint, and the generic logout.srf endpoint), but none of these are “SAML” endpoints, so it is unlikely that a third party IDP will support using them.

    The background behind this is that back when ESTS started supporting the login.srf endpoint, the requirement was to only support scenarios that were in active use. There was no evidence we needed to support IDP-initiated signout as most SAML IDPs at the time didn’t actually support federated signout.

     

    Since things have changed over the years, there is now an open work item to add this functionality, but no ETA yet for when it will be available. You can also add a feature request in feedback.azure , where the product team can reply directly. https://feedback.azure.com/

    If the information addressed your question, please consider Accepting the answer. This will help us and improve discoverability for others in the community who may be researching the same question. Otherwise let me know if you have further questions.


0 additional answers

Sort by: Most helpful