Jump to content

Support for SAML2 LogoutRequest


elmo

Recommended Posts

As defined in the SAML RFC the end application should be able to generate and send a POST request to the originating IDP using a LogoutRequest, when using PasswordState combined with Azure AD SAML if you point it at the AAD logout URL and press logout Azure says no as its just a 302 to the logout URL. If you input the generic URL it will log you out of all AzureAD applications. Can we please ask for this to be supported? The application should send a LogoutRequest back to the IDP via client browser on logout/timeout. See the following URL for more info https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol 

Link to comment
Share on other sites

  • 5 months later...

Hi All,

We're currently working on this for the next release, and have successfully corrected the 302 error using the new AAD logout URL. However, during our testing we're still observing that all Azure Apps are subsequently signed out after posting the LogoutRequest.

If you input the generic URL it will log you out of all AzureAD applications” implies that you would like to only sign out of Passwordstate and not all the other apps utilising the Azure AD session. Did we interpret this correctly?


If so, we believe this is not possible unless we force re-authentication even when an Azure AD session is currently active which would ultimately defeat the purpose of single sign on.

Regards,
Click Studios

Link to comment
Share on other sites

Hi,

 

What we'd like is not to be logged out of AAD but only from the Password state. When we looked at other apps, the logout page they point to is one hosted by their application, not going directly from Microsoft.

 

Hope this helps.

 

Cheers,

Max

Link to comment
Share on other sites

5 hours ago, Max said:

Hi,

 

What we'd like is not to be logged out of AAD but only from the Password state. When we looked at other apps, the logout page they point to is one hosted by their application, not going directly from Microsoft.

 

Hope this helps.

 

Cheers,

Max

That is the expected behavior from other products I have integrated with AAD. Not sure about the technical aspects, but as and end user that's how it should work.

Link to comment
Share on other sites

@Max @tboggs13 - just to clarify, with the other products you've mentioned - are they auto logging you in when you have an active session with Azure AD?
If they are, when you logout via the application (not Azure AD) and then return to the home page, are you automatically logged in again or prompted to re-authenticate via Azure AD? 

Regards,
Click Studios

Link to comment
Share on other sites

Hi all,

 

We have recently switched to SAML authentication. To ensure that our password lists are also protected from Azure AD joined devices where the user is automatically logged in, we use Google Authenticator in addition to SAML authentication. In our case, the user only needs to enter the token from Google Authenticator when logging in. I'm not sure what happens if you force reauthentication on Azure AD connected devices. But if the user had to enter their Azure credentials every time, that would be awkward from my point of view.

 

Regards, Reto

Link to comment
Share on other sites

In products I have setup with SAML, after first login all remain authenticated through browser session and most persist for some period of time even when the browser has been closed and reopened or the computer rebooted. Some require login after an hour and some don't require a new login for weeks. So, it varies on the auto-logout. If we can't configure it, I would probably prefer shorter for passwordstate.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...