Is the Single Logout available for OpenID Connect?

3
votes

Based on the research I did, I believe ADFS (2016) is supporting OpenID Connect Session Management. But I could not find the end_session_endpoint of our installed ADFS 2016 server. I found that in Azure (https://login.windows.net/contoso.com/.well-known/openid-configuration) we have this endpoint as https://login.microsoftonline.com/[tenant]/oauth2/v2.0/logout. But unfortunately we don't see a similar endpoint in our installation. We have for example authorisation endpoint, token endpoint, user endpoint etc, but not this one.

Do we have to enable this with a different configuration or ADFS 2016 doesn't support this in the standalone installation ?

Appreciate your help.

2
adfsopenid-connect

2 Answers

1
votes

I don't think it does and even if it did: the Session Management specification is not finalized (it is an implementer's draft), in fact alternatives have been proposed, and it would be hard to ensure that it works against arbitrary RPs.

1
votes

Single SignOut is supported in ADFS 2016, make sure you have KB4038801 installed on all the AD FS servers.

For more info, https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-logout-openid-connect