LogoutURL in Single Sign-Out SAML Protocol

Question

LogoutURL in Single Sign-Out SAML Protocol

Karl Gardner 195

Hello,

I'm trying to learn a bit more about the single sign out for the SAML protocol in Azure. However, I am a bit confused when the documentation mentions the LogoutURL. The documentation mentions that the LogoutURL is in the application metadata, however I am searching the LogoutURL in the following link: https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml

and do not see it in their. If Microsoft Entra is sending a LogoutResponse to the applications LogoutURL wouldn't it have to be set in the app registration as this url should be in application code?

Thanks!

2 answers

Your answer

Answer 1

Raja Pothuraju 45,785 Microsoft External Staff Moderator

Hello @Karl Gardner,

Thank you for posting your query on Microsoft Q&A.

From your description, I understand that you're looking for information on the Single Sign-Out SAML Protocol and the Entra Logout URL in the Federation Metadata XML. You can find the Entra SAML Logout URL in the SingleLogoutService path of the Federation Metadata XML file.

User's image

When a user signs out of your application, or whenever they click "Sign Out" on the application page, your application should generate a SAML Logout request and send it to the Entra Logout URL (i.e., https://login.microsoftonline.com/common/saml2) along with the SAML Logout request. Entra ID will then validate the request and send a SAML response to your application's Logout URL. Below is a screenshot that illustrates the SAML Logout flow.

Screenshot of the Microsoft Entra Single Sign Out Workflow.

And you don't need make any changes in App registration for a SAML protocol application.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Karl Gardner 195 Reputation points

2024-10-09T04:27:14.31+00:00

Hello @Raja Pothuraju and @Abiola Akinbade , So I have understand everything that you are saying except for the statement "Entra ID will then validate the request and send a SAML response to your application's Logout URL." My original question was how does Entra ID know my application Logout URL? I believe this "application Logout URL" that you are mentioning would be the app registration Front-channel logout URL:

Can you confirm that this is correct?

Thanks,

Karl
Raja Pothuraju 45,785 Reputation points Microsoft External Staff Moderator

2024-10-09T09:02:24.53+00:00

Hello @Karl Gardner,

Thank you for your response.

If your application uses the SAML protocol, you need to configure it under the 'Basic SAML Configuration' tab. You can update the application’s Logout URL there.

While this step is optional in many cases, if you want the response to redirect to a specific Logout URL, you should add your application's Logout URL in the 'Basic SAML Configuration' section.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks,
Raja Pothuraju.
Raja Pothuraju 45,785 Reputation points Microsoft External Staff Moderator

2024-10-10T22:38:34.1933333+00:00

Hello @Karl Gardner,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.
Karl Gardner 195 Reputation points

2024-10-11T03:53:59.9366667+00:00

Hello @Raja Pothuraju , Yes this was very helpful! I'm still reviewing on how to configure to use SAML and will accept the answer then
Raja Pothuraju 45,785 Reputation points Microsoft External Staff Moderator

2024-10-14T20:22:23.67+00:00

Hello @Karl Gardner,

Thank you for your response.

Please let me know if you need any other additional information on this.
Karl Gardner 195 Reputation points

2024-10-15T04:24:38.83+00:00

Hello @Raja Pothuraju , thanks for being patient with this! So I actually don't see an option to switch the service principle (or app registration) to use SAML instead of the default OpenId Connect for SSO. Would this be done somewhere in the app registration?
Raja Pothuraju 45,785 Reputation points Microsoft External Staff Moderator

2024-10-15T10:05:10.7066667+00:00
Hello @Karl Gardner,

Thank you for your response.

It seems the application you're referring to only has OIDC configured, which is why you’re unable to set up SAML. If you’ve created the application from the App Registration blade, you can only configure OAuth and OIDC protocols. To set up SAML SSO, you need to create your application from the Enterprise Applications blade.

If the application is available in the gallery, you can configure it as a gallery app; if not, you’ll need to choose the non-gallery option.

Once you’ve created a new application in the Enterprise Applications section, you can set up SAML SSO under the Single Sign-On blade.

For reference, I’ve included screenshots below to help explain:

If you create your application via the App Registration blade and navigate to the Single Sign-On section under Enterprise Applications, you will see a UI similar to the one below.

However, if the application was created from the Enterprise Applications blade, you’ll be able to configure SAML SSO, and the UI will look like this.

If this doesn’t match your scenario, please share a screenshot for better clarity. I’ll be happy to assist further.

Thanks,
Raja Pothuraju.
Raja Pothuraju 45,785 Reputation points Microsoft External Staff Moderator

2024-10-17T10:55:27.9133333+00:00

Hello @Karl Gardner, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Raja Pothuraju 45,785 Reputation points Microsoft External Staff Moderator

2024-10-24T07:06:24.3+00:00

Hello @Karl Gardner, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

Abiola Akinbade 30,485 Volunteer Moderator

SSO doesn’t always include the LogoutURL in its federation metadata.

LogoutURL in SLO for SAML must be configured on the Service Provider side, and Microsoft Entra ID sends a LogoutRequest to this URL when the user logs out. You need to set this up in your App Registration in Azure and make sure that your application can handle the SLO request.

https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate

If the LogoutURL is not visible in federation metadata, that’s because it is defined in your application settings, not within the IdP’s metadata.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Karl Gardner 195 Reputation points

2024-10-07T00:43:27.1233333+00:00

Hello @Abiola Akinbade ,

The only options in the documentation you sent are to provide a Redirect URI or a front-channel logout URL. I know the front channel logout url is used for OAuth2.0 SLO but is this the same concept for SAML SLO ?

Share via

LogoutURL in Single Sign-Out SAML Protocol

2 answers

Your answer