@danbtl Thanks for your feedback! We will investigate and update as appropriate.

@danbtl Please note that the Single sign-out section does provide steps on how to set logout URL in the portal. Also it says If you wish to support single sign out in your application, you must implement such a LogoutUrl in your application's code. Please find the reference to this published sample which implements the same.

@MohitGargMSFT The documentation is missing a description of the parameters that are sent when this URL is called.

If you wish to support single sign out in your application, you must implement such a LogoutUrl in your application's code.

It's not possible to implement this without knowing the exact parameters.

1. Azure makes a GET request to the LogoutURL, this is documented.
2. What we do not know is what exactly is being sent to the logout url. What would be appropriate is a sample payload that is sent to the Loguout url, so we can design out applications appropriately.

OR, can MSFT please clarify whether the GET is called via the client or Azure AD is calling the GET? Documentation says 'Azure AD sends an HTTP GET`

Thank you, @danbtl and @monteledwards for the additional info. I'm looping in @hpsin to help provide some answers and I'll update the docs based on his input and the discussion here.

This is a great question, and we'll definitely need to update the docs on this (for v1 and v2).

SSOut depends on your browser, and only signs the user out of applications on the web for applications that have been signed into on that browser. When your user is sent to the Azure signout page, the page opens invisible IFrames, each one pointing to a different applications configured LogoutUrl. Each application is then expected to delete the user's cookies (as they're receiving the request in the context of that browser) and perform whatever server side logic is necessary to log the user out.

Only one query parameter is provided - the session id (sid), so if an app configures a logout URL of https://app.com/signout, they will receive https://app.com/signout?sid=GUID. This will only be helpful if your applications has opted into the sid optional claim.

Tagging @danbtl and @monteledwards - Hello. In case you didn't see it, please see above response from @hpsin (our PM in this area). Thank you.

@hpsin Thank you for your answer, this is very helpful and I was now able to implement the SSOut in our custom application.

@CelesteDG I stumbled upon one more thing in my testing that might be noteworthy: The LogoutUrl must not be an HTTP URL, or the browser will silently fail to load the IFRAME due to mixed-content restrictions. @hpsin maybe the application configuration could validate if the LogoutUrl begins with https://.

Hello @danbtl and @monteledwards - In case you haven't seen this other related question on signout, please see the thread here: https://github.com/MicrosoftDocs/azure-docs/issues/9919. Thank you.

@SaurabhSharma-MSFT @MohitGargMSFT - I think this issue can be closed. Thank you.

please-close

@danbtl We will now close this issue. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

Is there a single sign out for AD B2C? I see no LogoutUrl for AD B2C. I tried searching for it but I always see stuff for AAD only.