0

How do I implement SAML Single Log Out with Azure AD as IDP in SAP HANA?

I have defined a web app in Azure to access to resources hosted on SAP HANA as described in this link.

In the web app is defined a logout endpoint which is

https://login.windows.net/common/wsfederation?wa=wsignout1.0

From browser I log to Azure AD and then I access to the resources on HANA. After I called the endpoint from address bar of the browser, I have to close all browser windows in order to do a proper logout.

enter image description here

  1. Is this the expected behavior when I log out?
  2. How do I implement a SAML Single Log Out in a native app? Is that realistic scenario?

Thanks

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
Sara Menoncin
  • 93
  • 1
  • 13

1 Answers1

3

Yes, this is the expected behavior because you are using WS-Fed logout. In this case SAP Hana (might be Hana Identity Manager) is redirecting to this URL for doing single log out. Azure AD does support SAML Single sign-out also. But you need to check that first with SAP HANA. If they support SAML based single sign-out then application can send the SAML Logout POST Request to Azure AD and then Azure AD can logout the user and redirect back the user to another page as specified in the request.

This detailed flow is documented here https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-single-sign-out-protocol-reference

Jeevan Desarda
  • 71
  • 2