AzureAD Sign out bindings

Identity_Q 41

Does Azure AD supports HTTP-POST ? I can see HTP-Redirect is used in metadata but need to confirm if HTTP-POST can be used as well. Some applications may have hard dependency on HTTP-Post and unless it is supported by AzureAD, sign out on those apps wont work.

Accepted answer

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-11T12:02:25.63+00:00

@IdentityQ-6734, Azure AD implements the SAML 2.0 web browser single sign-out profile. As part of the single sign-out flow the browser will be redirected (HTTP Redirect) to this url, so it is not possible to configure this call to be only a POST. This article provides a detailed description of the single sign-out flow in Azure AD, and for more info about the SAML 2.0 web browser single sign-out profile you can refer to the specification here.
Please sign in to rate this answer.
soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-11T12:05:48.837+00:00

@Identity_Q , Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-13T06:58:36.117+00:00

@Identity_Q , Got one more update around this ask. , We don’t currently support POST binding for logout. It is on our backlog.

Adding an entry in the Azure's metadata for a HTTP-POST wont work here.

Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.
Sign in to comment

1 additional answer

soumi-MSFT 11,716 Microsoft Employee

@IdentityQ-6734, Ideally the following http bindings are available by default in Azure AD metadata

 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/c2d4955e-81d6-xxx-8388-68xxxxxxe8dc243/saml2"/>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/c2d4955e-81d6-xxx-8388-68xxxxxxe8dc243/saml2"/>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/c2d4955e-81d6-xxx-8388-68xxxxxxe8dc243/saml2"/>

I am not seeing HTTP-POST for SingleLogoutService. I would request you to allow me sometime to check on this and will get back to you in sometime.