Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,275 questions
Enterprise applications -> SAML logout not working in Edge and Chrome browser
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 67%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
NB
1
Reputation point
Software: Azure Active Directory -> Enterprise applications -> Own application -> Single Sign-On with SAML -> Logout process
Description: Logout process does not work because of browser policies
Affected browsers: Microsoft Edge 90.0.818.62, Google Chrome 90.0.4430.212
Not affected browser: Mozilla Firefox 88.0.1
Problem description:
The logout process in customer (=own) applications runs in thee steps:
- User clicks logout button in customer applicatin, page redirects to https://login.microsoftonline.com for SAML logout with SAML data
- https://login.microsoftonline.com processes Azure logout and includes logout page from customer application as embedded iframe to ensure that logout is processed in Azure AND customer application (See: Set up Single Sign-On with SAML -> Logout Url)
- https://login.microsoftonline.com redirects with Javascript method "window.location.href" back to customer application
Step 2 and 3 do not work in current Chrome based browsers because of security policies:
Step 2 error in developer console:
Unsafe attempt to initiate navigation for frame with origin 'https://login.microsoftonline.com' from frame with URL [customer application logout URL]'.
The frame attempting navigation is targeting its top-level window, but is neither same-origin with its target nor has it received a user gesture.
See https://www.chromestatus.com/features/5851021045661696
Step 3 error in developer console:
Uncaught DOMException: Failed to set the 'href' property on 'Location':
The current window does not have permission to navigate the target frame to [customer application index URL].
Result: No logout on customer application and no redirect to customer application. Browser stucks on https://login.microsoftonline.com.
Workaround: User can set browser exception for this case/site. But users will not understand the reason and not do it.
Possible solution (proposal):
Allow customer application site with Content Security Policy (CSP) settings in Microsoft logout page.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 77%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
ANUBHAV ADHYAYAN 81 Reputation points2021-06-06T18:44:34.987+00:00 This is a complicated one . Looks like this is specific to Blink engine. The browsers have been updated now. Do you still see the same behavior with your applications during logout ? If yes , I would suggest to engage support on this.
-
NB 1 Reputation point
2021-06-07T06:47:49.7+00:00 The problem stays the same with current browser versions:
Edge Version 91.0.864.41
Google Chrome Version 91.0.4472.77
I tried to contact Microsoft support, but Azure support does only work with a service plan (€ 29,- / month).
Why should I pay for making Microsoft products better or just to report a single bug?
Sign in to comment
Sign in to answer