How to effectively enable SSO and SLO across multiple websites?

Question

How to effectively enable SSO and SLO across multiple websites?

Manuel Tospann 271

Hello,

We're experiencing an issue with Entra External ID where Single Sign-On (SSO) works across multiple applications, but Single Logout (SLO) does not function as expected.

Scenario:

We have multiple app registrations, each corresponding to a different website.
All app registrations use the same user flow configured in Entra External ID.
SSO is functioning correctly; users can sign in once and access all applications seamlessly.

Problem:

When a user logs out from one website:
- The user selects the account that they want to sign out of:
- The session for that specific application is terminated.
- The CIAM cookies are deleted.
Despite this, the user remains logged in on the other websites.
When attempting to log out from the other websites, users are not prompted to select an account to log out from, and the logout process doesn't seem to acknowledge the active session. It looks like this:

Goal:

We want a true SLO experience where logging out from one application signs the user out of all other applications associated with the same user flow.

Are there additional configurations or steps required to enable SLO across multiple applications in Entra External ID?

Is there a recommended approach or best practices for implementing SLO in this scenario?

Could this be related to how session tokens or cookies are managed across different domains?

Any guidance or suggestions would be greatly appreciated.

Thank you!

Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-09-30T10:31:28.1733333+00:00

Hi @Manuel T

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. if you have any further query do let us know.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-10-04T11:45:13.2166667+00:00

Hi @Manuel T

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.

Accepted answer

0 additional answers

Your answer

Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-09-30T10:31:28.1733333+00:00

Hi @Manuel T

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. if you have any further query do let us know.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-10-04T11:45:13.2166667+00:00

Hi @Manuel T

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.

Answer 1

Hi @Manuel T

Thank you for posting this in Microsoft Q&A.

I understand you have multiple app registrations, each corresponding to a different website, and they all use the same user flow configured in Entra External ID. Single Sign-On (SSO) is working correctly, but Single Logout (SLO) is not functioning as expected. When a user logs out from one website, they remain logged in on the other websites.

If a single user session is active, Microsoft Entra ID will automatically select that session and the SAML logout will proceed. If multiple user sessions are active, Microsoft Entra ID will enumerate the active sessions for user selection. After user selection, the SAML logout will proceed.

To further troubleshoot the issue, you can try the following:

1.Verify that the logout endpoint is being called correctly when a user initiates logout.

2.Verify that the CIAM cookies are being deleted correctly when a user logs out.

You can Implement front-channel logout, which involves redirecting the user to the logout endpoint when they initiate logout. This will ensure that the user is logged out from all applications.

You can find more information in this document: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#what-is-a-front-channel-logout-url

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Manuel Tospann 271 Reputation points

2024-09-26T11:45:33.39+00:00

Hi Navya.

Thanks for the detailed response. I think I made a mistake when I first tested the front channel logout URL. Now, I can see that when I logout from application A, there are http get calls to the front channel logout URLs of all app registrations. That's perfect. We'll create a logout endpoint for each app that invalidates the session.

And if we add something that auto-refreshes open tabs with the related apps, we can eliminate the issue of having empty logout forms.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-09-27T03:56:37.8866667+00:00

Hi @Manuel T

Thanks for the update. It's great to hear that you've successfully implemented the front-channel logout URL and are planning to create a logout endpoint for each app. Your plan to auto-refresh open tabs with the related apps should also help eliminate the issue of having empty logout forms. If you have any further questions or need any additional help, feel free to ask. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.

Share via

How to effectively enable SSO and SLO across multiple websites?

0 additional answers

Your answer