SAML2 SLO with MSAZure


I am testing Single Logout Service (SLO) between Auth0 and MS Azure AD. Here’s my setup

My App <=APIs=> Auth0 <=SAML2=> MS Azure AD

In Auth0 I configured enterprise connection to MS Azure, uploaded MS Azure certificate and MS Azure XML metadata file. Likewise, I’ve uploaded Auth0 enterprise connection metadata file to MS Azure, made sure the settings are saved:

The Single Sign On from my app to MS Azure (SSO) works fine - when I call /authenticate endpoint to Auth0, Auth0 redirects me to sign-in to MS Azure, MS Azure authenticates my user and - eventually - my application gets access_token, id_token, refresh_token and I can get user info. Things work fine. MS Azure default page also shows than I am indeed logged in.

Problems begin when I attempt to do SLO.

  1. First I try to SLO from my application. For this I call /v2/logout endpoint passing valid returnTo, client_id values and federated query params. federated is necessary to indicate that I want to log out from MS Azure as well. The API call completes successfully and - apparently - returns HTML of an MS Azure signout page. However:
    • After the logout I can continue to use access_token I’ve gotten at the login and call userinfo endpoint again. Wasn’t I supposed to invalidate the access token at the logout?
    • after the “logout” MS Azure continues to see my user as logged in. Hm…
  2. When I try to initiate the SLO from MS Azure side, it appears to be running fine, MS Azure confirms that I am logged out. However:
    • The access_token I’ve gotten during SSO continues to work and I continue to be able to successfully call userinfo endpoint

So the question is - how does my application “learn” that the user has signed out from MS Azure? I’ve already found and read this documentation.

In MS Azure I also tried to setup the logout endpoint to that of the Auth0 application (according to the application metadata doc. This didn’t change the behavior. My Auth0 application is connected with MS Azure SAML2 enterprise connection through “Open IDConnect”:

Would really appreciate some help with SLO.