3

I have created my own application in PHP that authenticates against Azure and then pulls data from Office 365 (Graph) - it works great!

When a user logs out of Office 365 I need them to be logged out of my application too.

I am using the Logout URL (within app registration) - which I believe is for this exact purpose. I can see my defined URL gets posted to as users logout, but I don't understand how I am supposed to match that to a user i.e. how do I know which user has logged out? - I can see that Azure is posting a SID field [sid] => c3db7b82-adef-43b6-b852-5955f877fbf9 but I dont understand how to match SID to anything else to work out who the user is?

MarkB
  • 123
  • 1
  • 7

3 Answers3

1

Do you need to know which user it is?

When user chooses to log out, you can:

  1. Redirect them log out at AAD
  2. AAD redirects them back to your app
  3. Remove their session cookie for your app
    • If you need to clean up something, you could read the session cookie and figure out who they are
  4. Redirect them to some page -> User logged out
juunas
  • 54,244
  • 13
  • 113
  • 149
  • So I have the logout already redirect back to my app but it isnt actually initiated by the user (so to speak) The user can be anywhere in office 365 and click logout, My logout script then receives a post from Microsoft with a SID but nothing else - how can figure out what Office 365 user logged out? – MarkB Feb 25 '18 at 10:12
  • Ahh, you meant a remote logout :) That's actually a scenario I don't know so well. – juunas Feb 25 '18 at 10:43
  • Could you check if the SID matches the user's object id in AAD for example? – juunas Feb 25 '18 at 10:44
  • I have checked and the SID doesn't match with anything obvious at all, not the user object ID or authentication ID.... this is what I am struggling with. – MarkB Feb 26 '18 at 11:20
  • Ah.. I guess the SID could stand for Session ID. I've never really implemented Single Sign Out so I'l have to look around. – juunas Feb 26 '18 at 11:29
1

Just going to add some additional detail here based on MarkB's answer:

In my case, Azure was doing a [POST] back to my Reply Url.

When your application makes the request to Azure for authentication, as mentioned by MarkB, Azure makes a callback to a location on your site (which you define in the Reply Urls in the Azure App Registration Settings). The call to this callback URL will include some query string parameters (in my case it was "code", "id_token", "state", "session_state")

The session_state parameter is the one you want.

When you log out of your app (or Outlook 365, or whatever), the logout url you specify in the application registration gets called. The SID query string parameter of that logout url call, lines up with the session_state mentioned above.

Just wanted to clear this up if anyone else was having an issue with this as well.

I couldn't figure out what you meant by the GET [session_state] until I looking in the browser debug tools on the network tab and noticed I wasn't getting a [GET] request, but a [POST] request.

cbeuker
  • 947
  • 1
  • 11
  • 21
  • This was exactly what I needed. It is "session_state" when you get your token, and "sid" when the logout message comes in. Also, if you do the standard redirect-to-Azure-to-log-out and the user has already logged out of Azure, you won't get redirected back to your webapp. I suspect people not working with my legacy code will not run into this problem. – Robert Nov 03 '20 at 18:44
0

Figured it!

Whilst setting up the application registration in Azure you must provide a ReplyUrl, it so happens Azure sends a GET [session_state] to the page you specify as the user logs in.

You will find that upon signing out a users SID will match the previously GET session_state allowing you to track the user.

MarkB
  • 123
  • 1
  • 7