Prompt for credentials when different user tries to login with Microsoft Single Sign On using SAML

Rachir Bulsara 0 Reputation points

We have a below mentioned requirement on our login screen.

  1. User enters emailId in our application and selects Microsoft to login with that email Id.
  2. User logs in to our platform with Microsoft SSO using SAML.
  3. User then logs out from our application, not Microsoft.
  4. User again tries to login to our application with different Microsoft email Id.
  5. Now here, as soon as we hit Microsoft authentication URL, it automatically performs login with first email Id (the account that is still active in the browser).
  6. Is there a way, that we can pass the email Id to Microsoft along with authentication URL or any other way, so that if the email Id is same as the active user, it automatically signs the user in, but if the email Id passed is different from signed in accounts, then it will ask for authentication credentials?

Please guide us on this.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,224 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,617 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Bruce ( 61,491 Reputation points

  2. Akshay-MSFT 17,656 Reputation points Microsoft Employee

    @Rachir Bulsara

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking to do signle signout user session once user signout of the application.

    Please confirm if this is not the ask by responding in the comments section.

    As per Single Sign-Out SAML Protocol

    For single sign-out to work correctly, the LogoutURL for the application must be explicitly registered with Microsoft Entra ID during application registration.

    If the app is added to the Azure App Gallery then this value can be set by default. Otherwise, the value must be determined and set by the person adding the app to their Microsoft Entra tenant. Microsoft Entra ID uses the LogoutURL to redirect users after they're signed out. Microsoft Entra ID supports redirect binding (HTTP GET), and not HTTP POST binding.

    Also 2nd thing to take care is "issuer" in the request:

    The Issuer element in a LogoutRequest must exactly match one of the ServicePrincipalNames in the cloud service in Microsoft Entra ID. Typically, this is set to the App ID URI that is specified during application registration.

    If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.


    Akshay Kaushik

    0 comments No comments