We are configuring Azure AD as an Idp (using SAML 2.0) and using PingFederate as a Service Provider. When there're multiple logged-in user sessions and user logs out one of them, we are seeing the following behavior:
- SP sends a SAML logoutRequest to Azure AD
- SP receives a logoutRequest from Azure AD (looks like Azure AD is doing the 'broadcast' as there is another logged-in session from the same SP)
- SP responds with logout success to Azure AD's SLO endpoint
- Azure AD throws error that SLO endpoint does not support SAML logoutResponse protocol
- SP not receiving a logout response from Azure AD, logout interrupted.
So my questions are:
When there're multiple logged-in sessions from same SP and SLO is initiated from one session, why the originating SP is receiving a broadcast?
Does the broadcast expect a logout response? I would assume any SP would respond to a logout request, but where should that response be sent to? Apparently the SLO endpoint doesn't support logout response, so is there a different response url on Azure AD to receive these logout response?
If we config SP to not send logout response to Azure AD (by setting an empty SLO response url), that does seem to allow logout to continue but SP doesn't finish the logout process by redirecting to customer's redirect endpoint and user stays on a screen telling them to close all browser sessions. (Probably because it's not receiving a success logout response) Note that when there's only one logged-in session, the SLO process works as expected, i.e., user will be redirecting to application's configured endpoint after SLO success.