Shibboleth Proxy to Azure: Completing logout.

Michael Grady mgrady at
Wed Jan 19 20:29:58 UTC 2022

> On Jan 19, 2022, at 2:12 PM, Wessel, Keith <kwessel at> wrote:
> The manual route is what we did, proxying logout to ADFS which would be very similar to proxying to Azure. It's not SAML logout, but since we haven't been propagating logout to other SPs, anyway, it really doesn't matter in the grand scheme of things. We truly just have a meta-refresh tag in out logout template that's redirecting to the Microsoft IdP's logout page.

And if you are not trying to propagate logout anyways, another option might be you simply do not have the Shib IdP keep a session in the first place, and list an Azure AD logout endpoint that does not require a SAML logout message (just like the Shib IdP's profile/Logout endpoint) as the logout endpoint when you configure the SP with the Shib IdP. (Assuming Azure AD has such a logout endpoint.) 

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list