We have some organizations using Enterprise connections with Microsoft AD.
User’s log in, are sent to the MS login to enter their password and back into our application as expected.
When user’s logout however, they are sent to MS and shown a screen to Select the MS account to log out from. This happens even if only one user is actively logged in. We’re using the angular SDK, set the Federated flag to true and provide a logout_hint.
The concern that some users may fail to explicitly logout and on a shared workstation.
Do you have any suggestions so we can silently logout from MS as well without prompting the user?
Hi @a.cardona
Welcome to the Auth0 Community!
Implementing a silent logout from MS AD without the account selection screen should be possible by making a couple of adjustments, please allow me to share my thoughts on possible changes and some useful documentations on this matter:
- use Federated Logout to ensure your user is logged out of AD and not just out of the application, especially in an environment with shared workstations. If you are using Angular SDK, you can set the
federated property to true under logoutParams, please check Interface LogoutOptions;
- under your Azure AD Enterprise Connection settings, you could find a “Use common endpoint” option. Enabling this setting has created a more consisted user logout experience, as described in Federated logout with Azure Active Directory ;
- you might need to add
login_hint as an optional parameter within AD and ensure that openind and profile scopes are included in your initial sign-in request.
For the last point above, I recommend reading through the official Microsoft documentations on this matter, namely:
Hopefully this allows you to achieve the desired flow and improve the overall security of your environment. Let us know if you require any further assistance on this matter and do not hesitate to reach out to us fr any other issues or requests.
Have a great one!
Gerald