Single Sign-out (SAML Protocol)

Article
09/16/2015

Azure Active Directory supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, Azure Active Directory must register its metadata URL during application registration. Azure Active Directory gets the logout URL and the signing key of the cloud service from the metadata. Azure Active Directory uses the signing key to verify the signature on the incoming LogoutRequest, and it uses the LogoutURL to redirect users after they are signed out.

If the cloud service does not support a metadata endpoint, after the application is registered, the developer must contact Microsoft support to provide the logout URL and signing key.

This diagram shows the workflow of the Azure Active Directory single sign-out process.

Single signout workflow diagram

LogoutRequest

The cloud service sends a LogoutRequest message to Azure Active Directory to indicate that a session has been terminated. The following XML excerpt shows a sample LogoutRequest element.

<samlp:LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="idaa6ebe6839094fe4abc4ebd5281ec780" Version="2.0" IssueInstant="2013-03-28T07:10:49.6004822Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.workaad.com</Issuer>
  <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> Uz2Pqz1X7pxe4XLWxV9KJQ+n59d573SepSAkuYKSde8=</NameID>
</samlp:LogoutRequest>

LogoutRequest Element

A LogoutRequest element sent to Azure Active Directory requires the following attributes.

ID: The ID attribute identifies the sign-out request. The value of ID must not begin with a number. To generate the ID attribute, you can prepend "id" to the string representation of a GUID.

Azure Active Directory sets the value of the InResponseTo attribute of the LogoutResponse element to the value of the ID attribute of the LogoutRequest.
Version: Set the value of the Version attribute to "2.0". This value is required.
IssueInstant: Set the value of the IssueInstant attribute to a DateTime string with a Coordinated Universal Time (UTC) value and round-trip format ("o"). Azure Active Directory expects a value of this type, but does not enforce it.

The following attributes are ignored if they are included in a LogoutRequest element: Consent, Destination, NotOnOrAfter, Reason

Issuer Element of LogoutRequest

Azure Active Directory requires that the LogoutRequest contain the Issuer element. The value of Issuer element must exactly match one of the ServicePrincipalName values of the service principal object that represents the cloud service in Azure Active Directory.

Set the value of the Issuer element to the value of the App ID URI provided during application registration.

NameID Element

In sign-out requests to Azure Active Directory, the LogoutRequest element must contain the NameID element and the value of the NameID element must exactly match the NameID of the user that is being signed out.

LogoutResponse

The following Sample LogoutResponse

<samlp:LogoutResponse ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0" IssueInstant="2013-03-18T08:49:24.405Z" InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
</samlp:LogoutResponse>

LogoutResponse Element

In response to a LogoutRequest, Azure Active Directory returns a LogoutResponse element. The following attributes are included in the LogoutResponse element.

InResponseTo: Azure Active Directory sets the value of the InResponseTo attribute to the value of the ID attribute of the LogoutRequest that elicited the response.
Azure Active Directory also sets the following attributes of the LogoutResponse element: ID, Version and IssueInstant.

Issuer Element under Response Element

Azure Active Directory sets the value of the Issuer element to https:// HYPERLINK "https://login.microsoftonline.com" login.microsoftonline.com/<TenantIdGUID>/ where <TenantIdGUID> is the tenant ID of the Azure Active Directory tenant.

To evaluate the value of the Issuer element, use the value of the App ID URI provided during application registration.

Status Element

Azure Active Directory uses the StatusCode element in the Status element to indicate the success or failure of sign-out. When the sign-out attempt fails, the StatusCode element value also can contain custom error messages.