elmo Posted March 7, 2021 Share Posted March 7, 2021 As defined in the SAML RFC the end application should be able to generate and send a POST request to the originating IDP using a LogoutRequest, when using PasswordState combined with Azure AD SAML if you point it at the AAD logout URL and press logout Azure says no as its just a 302 to the logout URL. If you input the generic URL it will log you out of all AzureAD applications. Can we please ask for this to be supported? The application should send a LogoutRequest back to the IDP via client browser on logout/timeout. See the following URL for more info https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol Max 1 Link to comment Share on other sites More sharing options...
Max Posted August 23, 2021 Share Posted August 23, 2021 +1 Link to comment Share on other sites More sharing options...
Reto Posted August 27, 2021 Share Posted August 27, 2021 +1 Link to comment Share on other sites More sharing options...
tboggs13 Posted September 3, 2021 Share Posted September 3, 2021 +1 Link to comment Share on other sites More sharing options...
cwild41 Posted September 3, 2021 Share Posted September 3, 2021 +1 Link to comment Share on other sites More sharing options...
support Posted September 10, 2021 Share Posted September 10, 2021 Hi All,We're currently working on this for the next release, and have successfully corrected the 302 error using the new AAD logout URL. However, during our testing we're still observing that all Azure Apps are subsequently signed out after posting the LogoutRequest.“ If you input the generic URL it will log you out of all AzureAD applications” implies that you would like to only sign out of Passwordstate and not all the other apps utilising the Azure AD session. Did we interpret this correctly?If so, we believe this is not possible unless we force re-authentication even when an Azure AD session is currently active which would ultimately defeat the purpose of single sign on.Regards,Click Studios Link to comment Share on other sites More sharing options...
Max Posted September 10, 2021 Share Posted September 10, 2021 Hi, What we'd like is not to be logged out of AAD but only from the Password state. When we looked at other apps, the logout page they point to is one hosted by their application, not going directly from Microsoft. Hope this helps. Cheers, Max Link to comment Share on other sites More sharing options...
tboggs13 Posted September 10, 2021 Share Posted September 10, 2021 5 hours ago, Max said: Hi, What we'd like is not to be logged out of AAD but only from the Password state. When we looked at other apps, the logout page they point to is one hosted by their application, not going directly from Microsoft. Hope this helps. Cheers, Max That is the expected behavior from other products I have integrated with AAD. Not sure about the technical aspects, but as and end user that's how it should work. Link to comment Share on other sites More sharing options...
support Posted September 13, 2021 Share Posted September 13, 2021 @Max @tboggs13 - just to clarify, with the other products you've mentioned - are they auto logging you in when you have an active session with Azure AD? If they are, when you logout via the application (not Azure AD) and then return to the home page, are you automatically logged in again or prompted to re-authenticate via Azure AD? Regards, Click Studios Link to comment Share on other sites More sharing options...
Reto Posted September 16, 2021 Share Posted September 16, 2021 Hi all, We have recently switched to SAML authentication. To ensure that our password lists are also protected from Azure AD joined devices where the user is automatically logged in, we use Google Authenticator in addition to SAML authentication. In our case, the user only needs to enter the token from Google Authenticator when logging in. I'm not sure what happens if you force reauthentication on Azure AD connected devices. But if the user had to enter their Azure credentials every time, that would be awkward from my point of view. Regards, Reto Link to comment Share on other sites More sharing options...
tboggs13 Posted September 16, 2021 Share Posted September 16, 2021 In products I have setup with SAML, after first login all remain authenticated through browser session and most persist for some period of time even when the browser has been closed and reopened or the computer rebooted. Some require login after an hour and some don't require a new login for weeks. So, it varies on the auto-logout. If we can't configure it, I would probably prefer shorter for passwordstate. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now