Front-channel logout URL not being called

Question

I have a registered application (non enterprise) which is configured with a public facing "Front-channel logout URL"

It doesn't appear that the URL is ever being called. I have logged in via Entra ID using a SAML AuthnRequest then have tried revoking the session via "revoke sessions", "sign out everywhere" and disabling the user but non of the above result in the URL being called.

Is there any additional configuration required for this other than the "Front-channel logout URL"?

Answer 1

Hi @Graeme Faulkner ,

Thanks for reaching out.

The Front-channel logout URL in Entra ID specifies the single sign-out logout URL. When a user clears their session with Entra ID using any other registered application, Entra ID sends a logout request to this URL.

Entra ID supports the front channel logout feature, allowing for a single sign-out across all applications when a user initiates logout. To implement this feature using MSAL.js, follow these steps:

1. Create a dedicated logout page within your application. Ensure that this page exclusively handles logout functionality and does not perform other tasks, such as token acquisition during page load (refer to details below). This page will be loaded in a concealed iframe and, for Azure AD and MSA users, will incorporate the iss and sid query parameters.
2. In the Azure Portal, go to the Authentication page for your application and register the page created in step one as the Front-channel logout URL. Note that this page must be accessed via https.

Reference - https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md#front-channel-logout

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.