logout loop

[gekko2725]

Does anyone have any experience with logout loops?

I am authenticating against an Azure enterprise app, seeing the expected cookies and content in my protected directories and even getting a successful logout message afterwards.

Then the app attempts to login again automatically resulting in an error.

I am using the following link to logout:

https://login.windows.net/common/oauth2/logout?post_logout_redirect_uri=https://login.microsoftonline.com/[enterprise app id]/saml2

I immediately get redirected to: https://login.microsoftonline.com/[enterprise app id]/saml2

The error is: AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.

As background:

• I am protecting the entire web root /
• I have a logout.php file in the web root for clearing session data and is used in the Azure Front-channel logout URL

The only thing that seems a little odd to me is to have the front-channel logout url in the protected directory but I would like to protect the entire web root.

Does anyone have any thoughts? I know that I can simply direct my users to close the browser but I’d like to keep this as tidy as possible.

Thanks and regards.

[gekko2725]

Hi folks,

I'm answering my own question, hopefully it saves some of the team from going down the rabbit hole. It also goes to show that I should have done a little of my own research before posting the question here.

This also isn't entirely my solution. My colleague Okcana gets credit.

Two things need to happen:

• The saml logout endpoint in the Azure app registration does not gracefully log out the session. Use the generic Microsoft ws federation link below

https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

• Clear the session and forcibly expire the cookie rather than trying to delete it. The httponly flag makes it almost impossible to delete with javascript.

setcookie("mod_auth_openidc_session", "", time()-3600);
session_start();
session_destroy();

And then redirect the browser to Azure for logout by refreshing http headers:

header("Location: https://login.windows.net/common/oauth2/logout?post_logout_redirect_uri=https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0");

Enjoy,
S