When signing out of an Appian session that was authenticated via SP initiated SSO and Active Directory would we expect that user to be logged out of Active Directory entirely (e.g. all open sessions closed) or just logged out of the Appian session only?
Discussion posts and replies are publicly visible
The answer is that it depends on how you configure your IdP. But the two possibilities are that you sign out of everything, or that you're not really signed out. Because if you aren't signed out of the Active Directory entirely, when you try to go to an Appian page, it's going to redirect you to the IdP, which will say "oh yeah, you're logged in" and log you right back in to Appian. I can't think of a way with SSO that you'd be able to be logged out of Appian only (which is kind of the point of "Single Sign-On", right?).
Thanks for the reply Eliot. In that case I think we have an issue with our IdP as it looks like it's signing us out of AD when we sign out of Appian.
I don't suppose you know what they would need to change do you?
If you want Appian to NOT sign you at of AD, I think the solution would be to simply point the logout redirect/endpoint (in the IdP metadata file) to literally anything OTHER THAN the IdP logout endpoint. For example, instead of having
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/SingleLogOutService"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yourappianurl.com/suite/tempo"/>
Thanks Eliot that confirms what I suspected.