This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 61%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hello,
We're experiencing an issue with Entra External ID where Single Sign-On (SSO) works across multiple applications, but Single Logout (SLO) does not function as expected.
Scenario:
Problem:
Goal:
Are there additional configurations or steps required to enable SLO across multiple applications in Entra External ID?
Is there a recommended approach or best practices for implementing SLO in this scenario?
Could this be related to how session tokens or cookies are managed across different domains?
Any guidance or suggestions would be greatly appreciated.
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @Manuel T
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. if you have any further query do let us know.
Hi @Manuel T
Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily.
Hi @Manuel T
Thank you for posting this in Microsoft Q&A.
I understand you have multiple app registrations, each corresponding to a different website, and they all use the same user flow configured in Entra External ID. Single Sign-On (SSO) is working correctly, but Single Logout (SLO) is not functioning as expected. When a user logs out from one website, they remain logged in on the other websites.
If a single user session is active, Microsoft Entra ID will automatically select that session and the SAML logout will proceed. If multiple user sessions are active, Microsoft Entra ID will enumerate the active sessions for user selection. After user selection, the SAML logout will proceed.
To further troubleshoot the issue, you can try the following:
1.Verify that the logout endpoint is being called correctly when a user initiates logout.
2.Verify that the CIAM cookies are being deleted correctly when a user logs out.
You can Implement front-channel logout, which involves redirecting the user to the logout endpoint when they initiate logout. This will ensure that the user is logged out from all applications.
You can find more information in this document: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#what-is-a-front-channel-logout-url
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hi Navya.
Thanks for the detailed response. I think I made a mistake when I first tested the front channel logout URL. Now, I can see that when I logout from application A, there are http get calls to the front channel logout URLs of all app registrations. That's perfect. We'll create a logout endpoint for each app that invalidates the session.
And if we add something that auto-refreshes open tabs with the related apps, we can eliminate the issue of having empty logout forms.
Hi @Manuel T
Thanks for the update. It's great to hear that you've successfully implemented the front-channel logout URL and are planning to create a logout endpoint for each app. Your plan to auto-refresh open tabs with the related apps should also help eliminate the issue of having empty logout forms. If you have any further questions or need any additional help, feel free to ask. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.