0 votes

Guys,

I have implemeted SSO with Azure AD with my test instance. I am using 2019.2. Works fine - MFA triggers etc.

But when I log out from Adaxes websites, it redirects me to "/Adaxes/WebApp_Name#/SamlSignOut" page. And there is a big blue sign in button, if user clicks again it - pages logs him back to the application without any Azure AD MFA challenge etc. Is it just happening with me or somebody else?

I believe SAML sign out method is not implemented here - https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol

We have 100s of apps - like workday, service now - when you sign out , they kind of kill the access token and re-ask for authentication. This is a secured way of doing because it kills the access token and protects from back button and if user forgets to close browser etc.

If this is an application design issue, I would like to know ETA for the fix. It is going to attract some nasty looks from Infosec guys - specially when it is a user management tool.

by (460 points)

1 Answer

0 votes
by (216k points)

Hello Brajesh,

And there is a big blue sign in button, if user clicks again it - pages logs him back to the application without any Azure AD MFA challenge etc. Is it just happening with me or somebody else?

When a user initiates log out from a Web Interface, their token in Azure AD IdP stays valid. It allows them to use other services registered in the IdP.

I believe SAML sign out method is not implemented here

The method is not implemented with Adaxes because it logs out users from all the services registered in the IdP. It is done for the convenience of the users which use multiple services accessed via the IdP.

0

But it is a security vulnerability.

Doesn't matter if it logs out all other concurrent sessions in the same browser. Adaxes is a powerfull identity management application. This should be implemented keeping the security at mind not just convenience. May be have two sign-out options in the drop down. I am sure everybody will agree with that.

What is the solution here? Is there a way I can at least I can redirect the logout to a different URL and remove that big sig in button?

0

Unfortunately, there is no possibility to redirect logout to a different URL or remove the Sign In button.

Related questions

0 votes
1 answer

Hello, The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory ... updated by an Azure logic App. But we'd love to have this natively in Adaxes.

asked Dec 13, 2022 by Gavin.Raymen (40 points)
+1 vote
0 answers

Currently, users from Azure AD domains cannot log in to Adaxes Web interface and cannot use password self-service to reset their forgotten passwords. Cause Feature is not yet implemented. Will be implemented in one of the future releases.

asked Nov 16, 2022 by Adaxes (560 points)
0 votes
1 answer

Hello, I have 3 groups in my AD environment and want to show all the users that belong to each group. For example - Group 1 Group 2 Group 3 The existing report in the Adaxes ... -Usser D etc. Is there a way to create a report like this? Thank you in advance!

asked Nov 6, 2020 by sirslimjim (480 points)
0 votes
0 answers

Hi I'm trying to configure Azure SSO to work through an app proxy. The settings seem to be correct and the SSO is working properly when a user in on premise, but when ... which can be resolved, or would it be something for a future release? Many thanks Matt

asked Sep 25, 2023 by chappers77 (2.0k points)
0 votes
1 answer

Hello there, We have recently moved (almost) every computer from on-prem to cloud only and have setup some scheduled tasks to disable users based off of Last Logon and Last Logon ... in a different way? And if not, are there any plans to leverage that data?

asked May 21 by jacobchugg (20 points)
3,590 questions
3,278 answers
8,304 comments
548,166 users