Hi @Subhaye ,
I apologize for the confusion before. I had incorrect information.
You are correct that Entra (Azure AD) does not support IdP-initiated SLO. There is a work item to add this capability in the future. The endpoint that processes IDP messages only understands logout responses and not requests.
So yes, this is a limitation on our end. There is no current workaround available over the SAML protocol. There are other IDP-initiated signout endpoints available (such as the WS-Fed endpoint, and the generic logout.srf endpoint), but none of these are “SAML” endpoints, so it is unlikely that a third party IDP will support using them.
The background behind this is that back when ESTS started supporting the login.srf endpoint, the requirement was to only support scenarios that were in active use. There was no evidence we needed to support IDP-initiated signout as most SAML IDPs at the time didn’t actually support federated signout.
Since things have changed over the years, there is now an open work item to add this functionality, but no ETA yet for when it will be available. You can also add a feature request in feedback.azure , where the product team can reply directly. https://feedback.azure.com/
If the information addressed your question, please consider Accepting the answer. This will help us and improve discoverability for others in the community who may be researching the same question. Otherwise let me know if you have further questions.