Azure AD - The Logout Url is populated from the wrong application metadata field

Max Dudzinski 21 Reputation points
2022-07-05T07:17:00.333+00:00

I have been using the documentation located at: https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol to enable the SAML Single Sign-Out profile.

I have created an Enterprise Application (EA) on the AAD portal.

My application's SAML metadata is:

<m:EntityDescriptor entityID="max-test" ID="_0b4fa43e-1e1c-4fa9-a4d6-adcf246b53bc" xmlns:m="urn:oasis:names:tc:SAML:2.0:metadata">  
     <m:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true">  
         <m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:5001/saml/slo/logout" ResponseLocation="https://localhost:5001/saml/slo/response" />  
         <m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:5001/saml/consumer" index="0" isDefault="true" />  
         <m:AttributeConsumingService index="0" isDefault="true">  
             <m:ServiceName xml:lang="en">BlaBla</m:ServiceName>  
             <m:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />  
             <m:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />  
             <m:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />  
         </m:AttributeConsumingService>  
     </m:SPSSODescriptor>  
 </m:EntityDescriptor>  

I have selected "SAML" as the "Single Sign-On mode" on the EA. I then uploaded my application's metadata file.

The Logout Url is populated from the wrong application metadata field:

217633-image.png

The Logout URL is where the Single LogOut Responses are to be sent. According to my metadata that should be the /response not /logout URL. Am I missing something?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,684 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,466 Reputation points Microsoft Employee
    2022-07-11T09:00:13.627+00:00

    Hi @Max Dudzinski ,

    Thanks for reaching out and apologies for delay in response.

    I understand you are trying to update Logout URL with ResponseLocation URL specified in metadata, but it is taking Location URL in the configuration.

    Unfortunately, we currently don't support multiple logout URL's. So, URL to logout and send logout response will remain the same for this configuration.

    As a workaround, we recommend you give same URL for both the location and ResponseLocation.

    For future, I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Hope this will help.

    Thanks,
    Shweta

    --------------------------------

    Please remember to "Accept Answer" if answer helped you.