A scenario is, user SSO logs into my system via Azure OIDC. They are now logged into the IdP and my system. While logged into my system, they open another tab and log out of the IdP. They are now logged out of the IdP, but still logged into my system.
Does Azure support a way to let my system know that the user has logged out, that way I can log them out of my system?
It's recommended to clear your app's cookies or storage besides calling the Azure AD end_session_endpoint. This can be done using upon redirecting to the passed post_logout_redirect_uri.
Related
I have integrated header based application with Azure AD application proxy.
Which preauthenticate user with Azure AD credential and created cookie based session.
How to implement logout so that when clicking logout link on application it totally clears the session.
For OAuth/OIDC, provided the guidance:
"When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform to sign out."
"When you redirect the user to the end_session_endpoint, the Microsoft identity platform clears the user's session from the browser.
However, the user may still be signed in to other applications that use Microsoft accounts for authentication."
Implement logout in Azure AD application proxy:
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
I develop an authentication by extrenal idps in the my application. For while I support two idps using OpenId Connect protocol: Azure AD and Okta. My login page has widget for entering user's credentials (for built-in users and for domain users imported from Active Directory) and two buttons: "Login with Microsoft" and "Login with Okta".
First time user is redirected to login page and he attempts to sign in by Okta (or Azure AD). If he has already signed in Okta (or Azure AD) before attempt he will be signed in my app autmatically without entring his credentials (SSO in action). But if he signed out from my app, the next time he will try to sign in by Okta he will be redirected to Okta consent page and required to enter his credentials.
Why do second and next attempts require user's credentials but not lead to automatic sign in?
Is this SSO concept?
I develop on Asp.net MVC and use OWIN (Katana).
Thanks!
A likely reason the user is signed out of the identity provider is that your code is intentionally doing that when you call SignOut.
For example, if you are calling:
HttpContext.GetOwinContext().Authentication.SignOut(AuthTypes.Okta, AuthTypes.Cookies);
You are explicitly saying that you want to trigger sign-out for AuthTypes.Cookies (which probably clears your app's own session cookies) and AuthTypes.Okta (which probably includes redirecting to Okta to end the session and clear cookies over there as well).
If you only want to end the session with your app (but not necessarily end the user's session with the identity provider), when you call SignOut, you should only indicate your app's authentication types:
HttpContext.GetOwinContext().Authentication.SignOut(AuthTypes.Cookies);
After this, when the user accesses the app again, the app will not consider the user signed in (because when the user's browser accesses the app, it will not be presenting any session cookies). However, if the user were to be sent off to Okta or Azure AD again, the identity provider's own session cookies for that user will still be there, and they will be able to SSO with no extra prompts.
Note: I'm making a few assumptions about how AuthTypes.Okta and AuthTypes.Cookies are configured, since that wasn't included in the question.
I'm using Google Cloud connector application to use our Azure AD account as a Single Sign-On with SAML SSO to access our GSuite Accounts. If I try to log in more than one user from our gsuite account, the page gets automatically gets redirected to the previously logged in account instead of asking me the password for the new account.
Consider two accounts A and B belonging to same domain XYZ. I'm not able to log in B as an additional account in Google service like Gmail if A is already logged in. After I enter the email B, if click on continue in the Google Sign-in page instead of taking me to the Microsoft SSO page, I directly get redirected to the mailbox of A. If I log out of account A and then try to login to account B, it's working fine. The behaviour gets replicated across browsers.
https://www.awesomescreenshot.com/video/2388498?key=4e3527ba1445fdd0c28fefebeca8ef6a
Please refer to the above video to watch the behaviour. Thank you.
You can attach &prompt=login in redirect url or Start URLin google.
Request an authorization code
Not sure how to go about the following scenario:
User logs in with SAML using in an Azure enterprise configured application.
User authenticated succesfully.
If user now logs out from Azure -> I can catch this event using the logout url.
However if the user is deleted / removed from the organisation the user is still logged in in my application.
I've implemented similar logic with Oauth and refresh tokens, didn't find an equivalent using SAML.
As of now there is no support in SAML for the user provisioning events performed by the Idp.
In Azure enterprise configured application there is feature for Automate user provisioning and deprovisioning to applications which ensure that the identities in your app and systems are kept up to date based on changes in the directory or your human resources system.
For more information you can refer this link
I didn't quite understand the logout process in AD.
Say a user logs out from other app (not mine) that's connected to AD, would my SP get called when it happens?
Another thing that i'm missing is, what happens when user was removed/deactivated from their directory? how would I know when to clear their session? couldn't find anything regarding this issue in AD's docs.
The following diagram shows the workflow of the Azure AD single sign-out process.
If the user logs out from one app connected to AD(the same tenant as yours), he will be signed out from other apps connected to the same AD.
If a user was removed from their directory, the user will get an authentication issue.