Hello,
When using Azure AD as the partner IdP from my SP I never get a redirect back from Azure AD after having performed a single logout.
The partner IdP configuration looks like this (GUID’s omitted):
<PartnerIdentityProvider Name=“<a href=“https://sts.windows.net/GUID/” “=””><a href=“https://sts.windows.net/GUID/” “=”“><a href=“https://sts.windows.net/GUID/””>https://sts.windows.net/GUID/“
Description=“Azure AD”
SignLogoutRequest=“true”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantLogoutResponseSigned=“true”
UseEmbeddedCertificate=“true”
SignatureMethod=”<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1"
SingleSignOnServiceUrl=“<a href=“https://login.microsoftonline.com/GUID/saml2” “=””><a href=“https://login.microsoftonline.com/GUID/saml2” “=”“><a href=“https://login.microsoftonline.com/GUID/saml2"”>https://login.microsoftonline.com/GUID/saml2”
SingleLogoutServiceUrl=“”=“”>“=”“>”>https://login.microsoftonline.com/GUID/saml2"/>
The flow is like this:
1. My SP performs a SAMLServiceProvider.InitiateSLO
2. The browser is redirected to login.windows.net with a correct SAMLRequest and a few additional redirects occur to different Microsoft URL:s. The user is logged out successfully at the IdP
3. No redirect occurs back to my SP (to my single logout service url - which I cannot fill in anywhere in Azure AD?)
This means that I cannot log out the user locally in this scenario.
Has anyone else experienced this problem? Suggestions? Is it even possible? It works fine against the local MVC-based IdP.
Regards
Fredrik
[quote][/quote]
Hello,
When using Azure AD as the partner IdP from my SP I never get a redirect back from Azure AD after having performed a single logout.
The partner IdP configuration looks like this (GUID's omitted):
https://sts.windows.net/GUID/"
Description="Azure AD"
SignLogoutRequest="true"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantLogoutResponseSigned="true"
UseEmbeddedCertificate="true"
SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
SingleSignOnServiceUrl="https://login.microsoftonline.com/GUID/saml2"
SingleLogoutServiceUrl=""="">"="">"="">">https://login.microsoftonline.com/GUID/saml2"/>
The flow is like this:
1. My SP performs a SAMLServiceProvider.InitiateSLO
2. The browser is redirected to login.windows.net with a correct SAMLRequest and a few additional redirects occur to different Microsoft URL:s. The user is logged out successfully at the IdP
3. No redirect occurs back to my SP (to my single logout service url - which I cannot fill in anywhere in Azure AD?)
This means that I cannot log out the user locally in this scenario.
Has anyone else experienced this problem? Suggestions? Is it even possible? It works fine against the local MVC-based IdP.
Regards
Fredrik
When using Azure AD as the partner IdP from my SP I never get a redirect back from Azure AD after having performed a single logout.
The partner IdP configuration looks like this (GUID's omitted):
https://sts.windows.net/GUID/"
Description="Azure AD"
SignLogoutRequest="true"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantLogoutResponseSigned="true"
UseEmbeddedCertificate="true"
SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
SingleSignOnServiceUrl="https://login.microsoftonline.com/GUID/saml2"
SingleLogoutServiceUrl=""="">"="">"="">">https://login.microsoftonline.com/GUID/saml2"/>
The flow is like this:
1. My SP performs a SAMLServiceProvider.InitiateSLO
2. The browser is redirected to login.windows.net with a correct SAMLRequest and a few additional redirects occur to different Microsoft URL:s. The user is logged out successfully at the IdP
3. No redirect occurs back to my SP (to my single logout service url - which I cannot fill in anywhere in Azure AD?)
This means that I cannot log out the user locally in this scenario.
Has anyone else experienced this problem? Suggestions? Is it even possible? It works fine against the local MVC-based IdP.
Regards
Fredrik
Answering my own post:
After switching to the new Azure portal at portal.azure.com there was a possibility to specify a "Logout URL" in the properties section of the SP App in Azure AD.
I hope this helps anyone that has the same problem.
Thanks Fredrik for sharing the information.