/
SLO: Entra ID

SLO: Entra ID

Owned by Jon Espen Ingvaldsen (Unlicensed)
Last updated: Jan 11, 2025 by Steinar Line
3 min read

To configure Single logout in Entra ID, begin by enabling SLO in Kantega SSO from the Single Logout menu. As of Kantega SSO 3.5.0, the logout URL should be populated already and you can simply enable SLO and click save.

If the SAML provider logout URL for Entra ID isn't already configured, this must be configured first:

If the Entra ID logout URL isn't specified already, you will either need to input this directly in the form Single Logout configuration input or refresh Entra ID metadata which we'll do here.

Navigate to the Metadata menu. If the metadata URL is already filled you can simply click Save to do the refresh.

Otherwise, you will first need to either obtain the "App Federation Metadata Url", or upload "Federation Metadata XML" as a file (or use XML cut&paste) from Entra ID. This can be obtained via the Entra ID management portal. Log in to https://portal.azure.com then navigate to Microsoft Entra ID >> Enterprise Applications >> Atlassian app. Then select Single Sign-on from the menu.

After refreshing metadata, the Single Logout menu page should have a logout URL and you can enable SLO and continue with the setup.

 

Configuring a Logout URL for the service provider (does not work with Entra ID currently)

A logout URL can optionally be configured for each SP (e.g. Jira, Confluence) in Entra ID. This should enable real but it does not work. Entra ID correctly notifies one session participant but won't accept LogoutResponse messages from that entity on its own endpoint, so the protocol breaks down. It works as a basic return URL as long as there is only a single session participant, which is pretty much useless. 

  • If omitted, the initiating service provider is never sent a LogoutResponse at the end of single logout. The user is then signed out of the Atlassian app and Entra ID and lands on Entra ID's logout confirmation page. This works because Kantega SSO terminates the session on the way out and doesn't actually require the LogoutResponse for anything other than to "landing" the user somewhere.

  • If included, the Entra ID sends a LogoutResponse back to the initiating SP at the end of single logout. The user is signed out of the IDP and SP as above but instead lands on the Atlassian app's logout confirmation page.

 

Locate the Basic SAML configuration card and click to edit.

 

To fill the logout URL, either save Service Provider Metadata from Kantega SSO (Obtained from "URLs and cert for IDP setup") and upload to Entra ID as shown below or simply cut&paste the Logout URL manually.