When signing out of an Appian session that was authenticated via SP initiated SSO and Active Directory would we expect that user to be logged out of Active Directory entirely (e.g. all open sessions closed) or just logged out of the Appian session only?
Discussion posts and replies are publicly visible
The answer is that it depends on how you configure your IdP. But the two possibilities are that you sign out of everything, or that you're not really signed out. Because if you aren't signed out of the Active Directory entirely, when you try to go to an Appian page, it's going to redirect you to the IdP, which will say "oh yeah, you're logged in" and log you right back in to Appian. I can't think of a way with SSO that you'd be able to be logged out of Appian only (which is kind of the point of "Single Sign-On", right?).
Thanks for the reply Eliot. In that case I think we have an issue with our IdP as it looks like it's signing us out of AD when we sign out of Appian.
I don't suppose you know what they would need to change do you?
If you want Appian to NOT sign you at of AD, I think the solution would be to simply point the logout redirect/endpoint (in the IdP metadata file) to literally anything OTHER THAN the IdP logout endpoint. For example, instead of having
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/SingleLogOutService"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yourappianurl.com/suite/tempo"/>
Thanks Eliot that confirms what I suspected.
So following some testing it looks like if we remove the <SingleLogoutService> element entirely from the IdP metadata file Appian displays a page stating 'You have logged out successfully' with a link to 'Return to Appian' and the user is not logged out of AD, which is exactly what we want.
Great! Glad to hear you were able to get it working the way you wanted!