Auth0 Home Blog Docs

Federated logout with Azure Active Directory

I have a standard web app that was setup using your quick start guide: https://auth0.com/docs/quickstart/webapp/nodejs

The web app has a single enabled enterprise connection setup with Azure Active Directory.

The web app needs to support federated logout so I’ve added the &federated parameter to the logout url as described here https://auth0.com/docs/logout/guides/logout-idps

My issue is that there is a seemingly random chance that logout does not redirect the user to the correct federated logout url. After clearing the user session in the web app, we redirect to our auth0 tenant just as the quick start has it (but with the federated parameter).

50% of the time the user is then redirected to the AAD logout url: https://login.microsoftonline.com/**<connection-name>**/oauth2/logout?post_logout_redirect_uri=https://**<tenant-name>**.auth0.com/login/callback?returnTo=**<redirect-url>** and is then logged out of AAD.

The other 50% of the time the user is redirected to https://login.microsoftonline.com/oauth2/logout?post_logout_redirect_uri=https://**<tenant-name>**.auth0.com/login/callback?returnTo=**<redirect-url>** and Microsoft returns a 404 page. The difference between these urls is that the connection name is not included in the failure case. Looking through Microsoft docs it seems that they are expecting the url to be /common/oauth2/logout. https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#send-a-sign-out-request which doesn’t match either of these.

The inconsistent redirect url returned by Auth0 does not seem to be controllable by my web app’s logic, so I am at a loss as to how to debug this. Any help would be appreciated!

Have you tried enabling the Use common endpoint feature on the Azure AD connection settings page?

16

I enabled it and tried a few logins. Auth0 seems to consistently redirect me to the /common endpoint for logout which works perfectly fine.

Can you help me understand any repercussions of using the common endpoint from Auth0’s perspective? Reading through MSFT docs on the /common endpoint leads me to believe it shouldn’t affect my app, but I’m not entirely sure. The registered application I am using in AAD is single tenant, so it seems I shouldn’t use the common endpoint in this scenario. I’d like to understand why Auth0 redirects to an incorrect endpoint sometimes (when not using the common endpoint).