Shibboleth Proxy to Azure: Completing logout.

Wessel, Keith kwessel at
Wed Jan 19 20:12:38 UTC 2022

The manual route is what we did, proxying logout to ADFS which would be very similar to proxying to Azure. It's not SAML logout, but since we haven't been propagating logout to other SPs, anyway, it really doesn't matter in the grand scheme of things. We truly just have a meta-refresh tag in out logout template that's redirecting to the Microsoft IdP's logout page.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Wednesday, January 19, 2022 2:09 PM
To: Shib Users <users at>
Subject: Re: Shibboleth Proxy to Azure: Completing logout.

>    My web searches on the topic haven't come up with anything.  Apologies if it has been discussed already. 

I thought it had, but I don't see anything in the archive.

>  Is there a way to configure Shibboleth to add an additional step of 
> logging the user out of the Azure IDP as well?

No. There isn't any obvious way I see to continue supporting single logout while proxying unless it's back channel only. At some point we might implement options to ignore single logout and just relay control to the second IdP.

Hooking the logout within the template/view and forcing a manual client-side redirect out to Azure is a possible workaround. I don't know that they support SAML logout to begin with, in which case nothing we add would work anyway.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!oCLNdRE_JuEC_bUN2FPdLway4cWMEBW_eDRYHwdT-W_3kngz7ZoI94yvNwxgBngIrg$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list