Bypass the Azure AD SSO “choose an account” prompt when calling the end_session_endpoint logout URL

Question

Hello, I'm new to SSO, but we have a situation where for specific use-cases we need to logout Windows users from their AAD sessions (all through Chrome), and we would like to do this automatically (e.g. after the screen is locked and a period of inactivity has expired).

After reading the Azure OIDC Protocols signout documentation we tried (using a script) fetching the end_session_endpoint from https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration, and calling the logout endpoint, however the 'Pick an Account' user prompt appears which requires user interaction before the user is logged out, and therefore doesn't help us automatically log the user out.

Is there a way of avoiding this user prompt so that the logout can occur automatically, e.g. to pass the session details? Alternatively is there another method that we could explore for a specific set of users (we don't want to reduce the AAD session timer for all users).

Many thanks.

Answer 1

Hello @AdeRB ,

Thanks for reaching out.

This is an expected behavior (Pick an account) with v2.0 endpoint during logout (https://login.microsoftonline.com/common/oauth2/v2.0/logout) and our engineering team is working on feature request which skip the picker and sign out a user automatically, but we don't have any ETA as of today.

Meanwhile, I would recommend you to try using V1 logout endpoint and see if that help you with this scenario. Hope this helps.

Well Known V1 endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration
Logout V1 Endpoint: https://login.microsoftonline.com/common/oauth2/logout
Sample Logout request: https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https://portal.azure.com:443/

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.