question

AdeRB-8192 avatar image
0 Votes"
AdeRB-8192 asked amanpreetsingh-msft edited

Bypass the Azure AD SSO “choose an account” prompt when calling the end_session_endpoint logout URL

Hello, I'm new to SSO, but we have a situation where for specific use-cases we need to logout Windows users from their AAD sessions (all through Chrome), and we would like to do this automatically (e.g. after the screen is locked and a period of inactivity has expired).

After reading the Azure OIDC Protocols signout documentation we tried (using a script) fetching the end_session_endpoint from https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration, and calling the logout endpoint, however the 'Pick an Account' user prompt appears which requires user interaction before the user is logged out, and therefore doesn't help us automatically log the user out.

Is there a way of avoiding this user prompt so that the logout can occur automatically, e.g. to pass the session details? Alternatively is there another method that we could explore for a specific set of users (we don't want to reduce the AAD session timer for all users).

Many thanks.

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars-msft avatar image
0 Votes"
sikumars-msft answered amanpreetsingh-msft edited

Hello @AdeRB-8192,

Thanks for reaching out.

This is an expected behavior (Pick an account) with v2.0 endpoint during logout (https://login.microsoftonline.com/common/oauth2/v2.0/logout) and our engineering team is working on feature request which skip the picker and sign out a user automatically, but we don't have any ETA as of today.

Meanwhile, I would recommend you to try using V1 logout endpoint and see if that help you with this scenario. Hope this helps.

Well Known V1 endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration
Logout V1 Endpoint: https://login.microsoftonline.com/common/oauth2/logout
Sample Logout request: https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https://portal.azure.com:443/


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI @sikumars-msft • I checked with product team and they confirmed that this is in testing phase and the instructions to pass logout hint will be documented in near future but there is no ETA as of now. At this point, it doesn't work with V2 endpoint.

@AdeRB-8192 Please let us know if you have any further question.

1 Vote 1 ·
image.png (17.0 KiB)