question

maiwan-7629 avatar image
0 Votes"
maiwan-7629 asked ArunGupta-8970 commented

AZURE AD - Problem with logging off from Enterprise application - SAML

Hello Collegues

During our implementation of SSO SAML integration aith Azure platform - we are facing some strange Azure logoff behavior:

For some Enterprise Applications, it is working very good, so log in and log out by SAML is working as desired.
For one application, log in works fine but during log off- we are experiencing following error:

AADSTS50070: Signout failed. The request specified session indexes '_c95d8ed3-d069-4b52-af80-878e8c483100' which did not match the existing session(s).
Request Id: 161dd228-c453-446b-87c5-a0760e6c1000
Correlation Id: f4d09e59-667e-4797-a655-c275cbbd86cd
Timestamp: 2021-03-10T10:40:04Z
Message: AADSTS50070: Signout failed. The request specified session indexes '_c95d8ed3-d069-4b52-af80-878e8c483100' which did not match the existing session(s).

We've already checked all our options on SAML SSO settings page in Azure Ad for that application- they are same as for others.
We already checked our internal implementation- it is the same as for other applications...

any thoughts? What can be a problem?

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maiwan-7629 avatar image
0 Votes"
maiwan-7629 answered ArunGupta-8970 commented

Hello @vipulsparsh-msft thanks for answer.
The problem is that, we are doing the exact same for one application - and the logoff is working correctly without any problems.
And for 2nd application- that is identical as the 1st one, we have this problem. The only think that differs both apps is the login and logout URL from our side.
No differences inside the server/application- all settings are the same.
Both applications are under the same Azure tenant, so we are sending login and logut requests to same microsoft URI's.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@maiwan-7629 It would be better if you can open a support case with AAD team to have a further look at this.

0 Votes 0 ·

Hi @maiwan-7629 - Have you had any luck resolving the above issue?

We seem to have same issue with logging out the user when using Cognito SAML integration with Azure AD.

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@maiwan-7629 Thanks for reaching out. The Azure AD just replies to recent session that the app is sending in request. Are you sure that, that is the correct session from the app side.

A common scenario would be something like this or similar :
The app does any other kind of authentication once the user logs in, like a double authentication, gets the second Auth cookie, but when sending the logout request, it still sends the first session cookie for some reason.

The session Index for logout must match with the first login.

You need to study the fiddler of the complete login process to find out where exactly this is wrong, In most of these scenarios, the application needs to be corrected.
A support case with identity team from our side can help you investigate more on this.



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.