Single sign out with Kratos and Microsoft Azure

[popstr]

Hi all,
We are successfully using Kratos (and Oathkeeper) for enabling our users to sign in using their Microsoft Azure AD accounts.
Now we want to be able to automatically sign out from our application (i.e. Kratos) when the user signs out from the Microsoft account on another page (e.g. office.com). I have entered a valid URL in the field called "Front-channel logout URL" in the Azure configuration, and it is called as expected, with a parameter called "sid" appended to the URL as a query param. (I would have expected the Kratos cookies to be appended to the request but they're not)

My problem is now that I don't know what to do with this "sid". I suppose it is a (microsoft) session id that i need to invalidate in Kratos, but I can't figure out how.

I asked ChatGPT and it told me i should just send a DELETE request to http://{kratos-host}:4433/session/{sessionId}. That seems simple enough, but i get an error called "security_csrf_violation", which is not totally unexpected.

I have searched my Kratos sqlite database for the sid i get from MS, but I can't find it anywhere.

[Benehiko]

Hi @popstr

I suspect you would need to have to specify the https://<project-url>/self-service/logout/browser URL to initiate the logout flow and then have a js function submit it automatically on the UI you have integrated with Ory (or a button). The session is available in the users' browser as a cookie, so loading the correct domain (your domain or ory project url) and submitting the logout request to ory from there should do the trick.

[popstr]

Thank you @Benehiko for your reply.
There is no cookie in the request, which surprised me. I think the browser should have appended the cookie header to the request. If I only had the cookie it would be trivial to create a logout url to Kratos and redirect to it. The only information I get from MS is this mysterious query param called "sid".

[popstr]

This is what the request that MS is making looks like. No cookies. Just a "sid" query param. Don't know what to do with it.. In this case it redirects back to "login" because there is no cookie, but I would like to change that.
My guess would be that Kratos knows about this sid (the Microsoft session id, i assume), and can invalidate the session related to that sid, but I can't figure out how. The documentation (https://www.ory.sh/docs/kratos/self-service/flows/user-logout) does not help.

[kmherrmann]

I found this: https://stackoverflow.com/questions/48957473/azure-ad-application-registration-logout-url-what-is-sid

It seems the SID parameter maps to the "session state" field that you should have gotten back when logging in the user via callback?

[popstr]

Thanks, it seems they have the same problem. But I don't see any solution - what should we do with the sid? It is called session_state in Kratos, but I still don't know what to do with it.
There should be some kind of url in Kratos that I can pass this sid to, in order to end the session, but I can't find it.

[hugotiburtino]

First step to start supporting SLO at all
ory/kratos#3166