2

So I am implementing this single sign on feature using Azure AD as the authentication provider. My question is : is it possible to register just one centralized application for potentially multiple deployments?

doc

single sign out

I also want this single sign out feature. i.e. if a user log out of his/her outlook account, my app will react to it and also perform a logout.

The doc specify that I need to set the LogoutUrl field in AAD and do the implementation. The problem is I can only fill out one LogoutUrl for each registered application. I tried move this logout url to the reply urls but the endpoint will not fire.(only work when filled in the logout url field)

Scenario: I have one core app for potentially multiple deployments, and they all have their unique urls.

  1. abc.com
  2. abc1.com
  3. abc2.com

The list will go longer, so it is painful if I need to set up the application for each one. Can I get around by just setting one centralized app?

For the redirect url I think I can set up multiple reply urls. Or can I?

The difficult part is the logouturl: AAD only allow to set up one value, so I need to set up a centralized endpoint (logout.com/logout) to receive the logout call, and then redirect the call to the associated deployment. ( a user log out from abc.com, logout.com/logout is fired, it will then need to identify that the logout happens in abc.com, then it direct the call to abc.com so abc.com can receive and perform cleanups.)

Demi-Gods and Semi-Devils
  • 91
  • 2
  • 10

1 Answers1

1

For Azure Active Directory, you can have reply urls spanning multiple domains. So that works. You can also use these reply urls as part of your logout process. The logout url setting is optional, as far as I know.

https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}

(How to signout from an Azure Application?)

Remark: Azure AD B2C only supports reply urls within a single domain.

Edit: It seems I misunderstood your question. Do you want a redirect to abc.com when the user logs out from abc.com? use the redirect url. Do you want to clear the session in abc.com, abc1.com, abc2.com when the user logs out from abc.com? This is more tricky since AAD opens up your logout url in an hidden iframe (=> "Front-channel signout", a GET to the designated URL). If you want this to actually clean up all your domains, you need to get creative... not sure what the best way ist. You could try returning HTML that in itself has iframes to all the domains.. but i don't know if it will be properly evaluated.

Alex AIT
  • 17,361
  • 3
  • 36
  • 73
  • What I want to do is single sign out. i.e. if a user sign out of his/her outlook web, my app will react to it and sign out the user as well. If I leave the post url field blank in AAD and move it to reply url, the endpoint wont the fired. It will only be fired when it is in the logout url field. So looks like the centralized registration is not supported? https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc – Demi-Gods and Semi-Devils Feb 27 '19 at 22:43
  • Actually what I need is : if user A sign in to abc.com. when he/she signs out of his/her microsoft account, abc.com will sign out too. Also if user A sign in to abc1.com. when he/she signs out of his/her microsoft account, abc1.com will sign out too. etc. Usually a user will only subscribe with one domain. What you said sounds viable but I have no clue how to implement. Can you evaluate a bit more? How to set up a centralized URl to encapsulates domains? – Demi-Gods and Semi-Devils Feb 28 '19 at 11:46