SLO: Azure AD

Owned by Jon Espen Ingvaldsen (Unlicensed)
Last updated: Sept 10, 2021 by Ole Kristian Aune (Unlicensed)
3 min read

To configure Single logout in AAD, begin by enabling SLO in Kantega SSO from the Single Logout menu. As of Kantega SSO 3.5.0, the logout URL should be populated already and you can simply enable SLO and click save.

If the SAML provider logout URL for AAD isn't already configured, this must be configured first:

If the AAD logout URL isn't specified already, you will either need to input this directly in the form Single Logout configuration input or refresh AAD metadata which we'll do here.

Navigate to the Metadata menu. If the metadata URL is already filled you can simply click Save to do the refresh.

Otherwise, you will first need to either obtain the "App Federation Metadata Url", or upload "Federation Metadata XML" as a file (or use XML cut&paste) from AAD. This can be obtained via the AAD management portal. Log in to https://portal.azure.com then navigate to Azure Active Directory >> Enterprise Applications >> Atlassian app. Then select Single Sign-on from the menu.

After refreshing metadata, the Single Logout menu page should have a logout URL and you can enable SLO and continue with the setup.

 

Configuring a Logout URL for the service provider (does not work with AAD currently)

A logout URL can optionally be configured for each SP (e.g. Jira, Confluence) in AAD. This should enable real but it does not work. AAD correctly notifies one session participant but won't accept LogoutResponse messages from that entity on its own endpoint, so the protocol breaks down. It works as a basic return URL as long as there is only a single session participant, which is pretty much useless. 

  • If omitted, the initiating service provider is never sent a LogoutResponse at the end of single logout. The user is then signed out of the Atlassian app and AAD and lands on AAD's logout confirmation page. This works because Kantega SSO terminates the session on the way out and doesn't actually require the LogoutResponse for anything other than to "landing" the user somewhere.

  • If included, the AAD sends a LogoutResponse back to the initiating SP at the end of single logout. The user is signed out of the IDP and SP as above but instead lands on the Atlassian app's logout confirmation page.

 

Locate the Basic SAML configuration card and click to edit.

 

To fill the logout URL, either save Service Provider Metadata from Kantega SSO (Obtained from "URLs and cert for IDP setup") and upload to AAD as shown below or simply cut&paste the Logout URL manually.