We have some organizations using Enterprise connections with Microsoft AD.
User’s log in, are sent to the MS login to enter their password and back into our application as expected.
When user’s logout however, they are sent to MS and shown a screen to Select the MS account to log out from. This happens even if only one user is actively logged in. We’re using the angular SDK, set the Federated flag to true and provide a logout_hint.
The concern that some users may fail to explicitly logout and on a shared workstation.
Do you have any suggestions so we can silently logout from MS as well without prompting the user?
Hi @a.cardona
Welcome to the Auth0 Community!
Implementing a silent logout from MS AD without the account selection screen should be possible by making a couple of adjustments, please allow me to share my thoughts on possible changes and some useful documentations on this matter:
- use Federated Logout to ensure your user is logged out of AD and not just out of the application, especially in an environment with shared workstations. If you are using Angular SDK, you can set the
federated property to true under logoutParams, please check Interface LogoutOptions;
- under your Azure AD Enterprise Connection settings, you could find a “Use common endpoint” option. Enabling this setting has created a more consisted user logout experience, as described in Federated logout with Azure Active Directory ;
- you might need to add
login_hint as an optional parameter within AD and ensure that openind and profile scopes are included in your initial sign-in request.
For the last point above, I recommend reading through the official Microsoft documentations on this matter, namely:
Hopefully this allows you to achieve the desired flow and improve the overall security of your environment. Let us know if you require any further assistance on this matter and do not hesitate to reach out to us fr any other issues or requests.
Have a great one!
Gerald
Hi @gerald.czifra
We have implemented the logout flow as described in the Microsoft article below, however, the account selection prompt continues to appear during logout, even when only a single user session is active.
https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/sign-out-of-openid-connect-oauth2-applications-without-user-selection-prompt
We are using the Auth0 SDK for both login and logout.
Login:
const authorizationParams: any = {
redirect_uri: `${window.location.origin}/callback-url?
postLoginTarget=${encodeURIComponent(postLoginTarget)}`,
scope: 'openid profile email'
};
authInstance.loginWithRedirect({
authorizationParams
});
Logout:
this.authInstance.logout({
logoutParams: {
returnTo: returnToUrl,
federated: true,
logout_hint: logoutHintEmail,
},
});
In addition, we have configured the optional login_hint claim in Microsoft Entra ID as referenced in the article.
We also attempted to directly redirect to the OIDC logout endpoint during logout:
https://dev-nextech.us.auth0.com/oidc/logout?client_id=HkLZsCJCI8CXgbaVjhFPbGpob6YYOTOJ&post_logout_redirect_uri=http://localhost:4200&federated&logout_hint=<email>
However, this approach also results in the account selection prompt.
Despite these configurations and attempts, the logout flow continues to prompt for account selection. Please advise if there are any additional settings, configurations, or recommended approaches to achieve a seamless logout experience without the account selection prompt.
Hi @b.choudhary
Thank you for your input on this matter, this was very helpful!
After doing some internal research on this behaviour, we came to the following conclusions:
-
To bypass the “Pick an account” prompt during logout, Microsoft Entra ID explicitly requires the logout_hint parameter.
-
Auth0’s current Federated Logout implementation supports passing id_token_hint and post_logout_redirect_uri to the upstream Identity Provider, but it does not currently pass the logout_hint parameter to Azure AD. Internal discussions concluded that logout_hint support is restricted or unavailable for customers to configure in the current release.
-
Consequently, you are in a tradeoff scenario. Enabling federated: true successfully terminates the upstream Azure AD session, but it invariably triggers the account-selection prompt because the required logout_hint is not sent to Azure.
In this case, we recommend submitting a Feature Request to express interest in this change. Our Product team monitors the page and has visibility over all submissions; users can vote on the requests they want to see and a higher number will drive interest even further.
Have a great one!
Gerald