RP initiative logout is not working if identity zone is having SAML type identity provider configuration

[Amitabh36]

Suppose if i have a identity zone like bmw and in that identity zone if i have configured Microsoft Entra as SAML identity provider and if we call /logout.do in bmw identity zone in this case uaa should trigger the SAML logout request to Microsoft Entra as part of UAA RP initiative feature

[strehle]

Hi,
which UAA version do you use?
/info

The logout via /logout.do works with Entra and I have in our landscape a system in use, so we need more error context.

[Amitabh36]

@strehle i am using 77.10.0 UAA version, i have configured the Entra SAML idp in one of the identity zone but when i am calling logout.do UAA is not triggering the SAML logout request to Entra

[strehle]

Curious, because with new SAML implementation 77.24.x and higher we manually tested everything with different providers, therefore my recommendation now is, please use 77.25.0 which is the latest UAA.

But: you have in Entra / Azure -> Enterprise Apps -> your app -> SAML-based Sign-on -> Logout Url (Optional)
This optional part was configured, ... I ask because if this field is empty ... it explains your issue
There should be something like https://[youruaa-host]/saml/SingleLogout/alias/[your-entity-id]

[Amitabh36]

@strehle here consider cf uaa is service provider and Microsoft entra as identity provider,
if i trigger the logout from the cf uaa identity zone /logout.do will cf uaa also trigger the saml logout request to entra as well to clear the user session , if yes then what should be the configuration in cf uaa to achieve this ?