I’m having an issue with Single Logout where an AD user is left on the Microsoft web page when they log out of our app, but only when the user has been logged in for a number of hours.
SSO and SLO are working without problems other than that.
When we log out of AD, we want to be redirected back to our app.
It is only when a user has been logged in for a number of hours, that logging out leaves the user on the microsoft logout page.
The scenario fails consistently when the user has been logged in overnight, so the time since login would be at least 8 hours.
The page displays the Microsoft logo, the “You signed out of your account” heading, and the “It’s a good idea to close all browser windows” message.
I created an Azure AD non gallery enterprise application and set up SAML SSO with the "Basic SAML Configuration:
The “Basic SAML Configuration” configuration of the AD application is (n.b., I have made a few small change below to change the customer name):
Identifier (Entity ID): https://login-dev.mumba.cloud/auth/realms/demo-dev
Reply URL (Assertion Consumer Service URL): https://login-dev.mumba.cloud/auth/realms/demo-dev/broker/ad-saml/endpoint
Sign on URL:
Relay State:
Logout Url: https://login-dev.mumba.cloud/auth/realms/demo-dev/broker/ad-saml/endpoint
Our app uses Keycloak (Keycloak 6.0.1) for authentication, and we have created a Keycloak SAML 2.0 Identity Provider which is configured with the details from the “App Federation Metadata XML Url” from the AD app with details as above.
Is there some kind of expiry that would cause this different behaviour after a few hours.
It seems to be on the AD side of things because we are left on the Microsoft page, so we’re not in control of that process, but maybe I’m missing some configuration in Keycloak.
In Keycloak we have set up our SAML 2.0 Identity Provider with Single Sign-On Service URL: https://login.microsoftonline.com/851df7dc-24e7-4efe-b49c-19b5cc5b5041/saml2 and Single Logout Service URL: https://login.microsoftonline.com/851df7dc-24e7-4efe-b49c-19b5cc5b5041/saml2
The App Federation Metadata URL for the AD SAML app is:
If anyone is able to either identify an issue or point me in a direction for further debugging (I am able to look at the SAML requests and responses, but aren’t really sure what I should be looking for), that would be most appreciated.
thanks 