Add support for Single Logout (SLO)

Since OAuth 2.0 itself does not natively support SLO, it must be supplemented with OIDC (OpenID Connect) logout mechanisms.

1. Understanding Single Logout (SLO)

SLO ensures that when a user logs out of one application, they are automatically logged out of all applications using the same SSO session.

ADFS 2019 and Azure AD (Entra ID) support SLO using OIDC’s End Session Endpoint.
The web application must redirect the user to the IdP's logout endpoint and optionally provide an ID token to track the session.

2. Implementing SLO with ADFS 2019 and Azure AD/Entra ID

Step 1: Enable OpenID Connect (OIDC) Logout Endpoint

Ensure your ADFS 2019 or Azure AD/Entra ID configuration supports OIDC-based logout.

ADFS 2019 Logout Endpoint:
https://adfs.example.com/adfs/oauth2/logout
Azure AD Logout Endpoint:
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/logout

Step 2: Configure the Web Application for SLO

Modify your web application to handle logout by:

Redirecting the user to the IdP logout URL.
Passing the ID token (if required) to confirm session logout.
Redirecting the user to a post-logout landing page.

Logout Request Format (Azure AD Example)

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/logout ?post_logout_redirect_uri=https://yourapp.com/logout &id_token_hint={id_token}

Logout Request Format (ADFS 2019 Example)

https://adfs.example.com/adfs/oauth2/logout ?post_logout_redirect_uri=https://yourapp.com/logout &id_token_hint={id_token}

post_logout_redirect_uri: Specifies where the user should be redirected after logout.
id_token_hint (Optional): Helps the IdP identify which session to terminate.

Step 3: Handle Session Termination in Your Application

Destroy the user session in your web app after logging out.
Clear session cookies, tokens, and authentication state.

Example (Node.js/Express):

app.get('/logout', (req, res) => { req.session.destroy(); // Destroy session res.clearCookie('session'); // Clear cookies res.redirect('https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/logout?post_logout_redirect_uri=https://yourapp.com/'); });

Step 4: Optional - Implement Front-Channel Logout (OIDC)

Some IdPs notify applications via front-channel logout.
Apps need to listen for a logout request and terminate local sessions.

Example Azure AD Front-Channel Logout URL:

https://yourapp.com/logout

Configure this URL in Azure AD Enterprise Application > Logout URL.

Step 5: Optional - Implement Back-Channel Logout

If your web app supports back-channel logout, listen for logout notifications from the IdP.
This requires storing OAuth session references and handling logout events.

Here’s how you can handle Single Logout (SLO) in a PHP web application when using Azure AD (Entra ID) or ADFS 2019 for OAuth 2.0 SSO.

PHP Logout Implementation

Modify your logout.php script to:

Destroy the PHP session to log the user out locally.
Clear cookies and authentication tokens.
Redirect the user to the IdP logout URL (Azure AD or ADFS 2019).

Example: `logout.php`

<?php

session_start();

// Destroy session

session_destroy();

// Clear session cookies

setcookie(session_name(), '', time() - 3600, '/');

// Redirect to Azure AD/ADFS logout

$tenant_id = "your-tenant-id"; // Azure AD tenant ID $post_logout_redirect_uri = urlencode("https://yourapp.com/");

// For Azure AD $logout_url = "https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/logout?post_logout_redirect_uri=$post_logout_redirect_uri";

// For ADFS 2019 (Uncomment the following line if using ADFS instead of Azure AD)

// $logout_url = "https://adfs.example.com/adfs/oauth2/logout?post_logout_redirect_uri=$post_logout_redirect_uri";

// Redirect to logout endpoint header("Location: $logout_url"); exit; ?>

Configuring Azure AD for SLO

In Azure Portal, go to Azure AD > Enterprise Applications.
Select your application and navigate to Properties.
Set Logout URL to https://yourapp.com/logout.php.

Configuring ADFS 2019 for SLO

Open AD FS Management on your ADFS server.
Go to Application Groups > Your App > Web API.
Ensure OAuth logout endpoint is enabled.
Add https://yourapp.com/logout.php as a trusted logout URL.

Jobready360

Add support for Single Logout (SLO)

1. Understanding Single Logout (SLO)

2. Implementing SLO with ADFS 2019 and Azure AD/Entra ID

Step 1: Enable OpenID Connect (OIDC) Logout Endpoint

Step 2: Configure the Web Application for SLO

Logout Request Format (Azure AD Example)

Logout Request Format (ADFS 2019 Example)

Step 3: Handle Session Termination in Your Application

Step 4: Optional - Implement Front-Channel Logout (OIDC)

Step 5: Optional - Implement Back-Channel Logout

PHP Logout Implementation

Example: `logout.php`

Configuring Azure AD for SLO

Configuring ADFS 2019 for SLO

Subscribe to post

Subscribe to post

Jobready360

Add support for Single Logout (SLO)

1. Understanding Single Logout (SLO)

2. Implementing SLO with ADFS 2019 and Azure AD/Entra ID

Step 1: Enable OpenID Connect (OIDC) Logout Endpoint

Step 2: Configure the Web Application for SLO

Logout Request Format (Azure AD Example)

Logout Request Format (ADFS 2019 Example)

Step 3: Handle Session Termination in Your Application

Step 4: Optional - Implement Front-Channel Logout (OIDC)

Step 5: Optional - Implement Back-Channel Logout

PHP Logout Implementation

Example: logout.php

Configuring Azure AD for SLO

Configuring ADFS 2019 for SLO

Subscribe to post

Subscribe to post

Example: `logout.php`