Preventing Unintended SSO Sessions When Logging Out of FusionAuth with Azure AD

wesley

I encountered an edge case with SSO behavior and wanted to understand how to handle it properly.

Scenario:

• UserA logs into Azure AD (acting as the SSO identity provider) and is successfully authenticated into our application via FusionAuth.
• UserA then logs out of our application.
• UserB, using the same local machine, attempts to log in.
• Instead of being prompted to enter their own Azure AD credentials, UserB is automatically logged in using UserA’s active Azure AD session, and FusionAuth generates a token containing UserA’s information.

Questions:

1. How can we prevent this behavior?
2. Does FusionAuth have any built-in mechanisms to ensure that the correct user session is used when a different user logs in?

Your guidance on resolving this issue would be greatly appreciated.

wesley

This behavior is a result of session management at the identity provider level (Azure AD), not FusionAuth. When federating authentication to an external IdP, FusionAuth does not control how sessions are managed within that IdP—Azure AD determines session persistence and re-authentication policies.

Why This Happens:

• When UserA logs out of your application, their Azure AD session remains active unless explicitly ended.
• When UserB attempts to log in, Azure AD automatically reuses the existing session (UserA’s session) instead of prompting for new credentials.
• Since FusionAuth relies on the identity assertion from Azure AD, it issues a token based on the session provided by Azure AD, resulting in UserA’s credentials being used.

How to Prevent This:

1. Ensure Proper Logout from Azure AD

• When logging out a user, also log them out from Azure AD to end their IdP session.
• This is typically done by redirecting the user to Azure AD’s logout URL during the sign-out process.

Example for Microsoft Entra ID (formerly Azure AD):

https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={your-app-logout-url}

• This ensures that UserA is fully logged out before a new user attempts to sign in.

2. Disable "Keep Me Signed In"

• Many IdPs, including Azure AD, offer a "Keep me signed in" option. If the machine is shared, instruct users not to enable this option, as it maintains the session even after closing the browser.

3. Enforce Re-authentication

• Some IdPs provide settings to force authentication on each login attempt.
  *In Azure AD, you can modify your SSO session policies to require fresh authentication after logout or in specific conditions (e.g., IP changes, new browser sessions).

If your application requires frequent user switching, consider enforcing authentication via the prompt=login parameter in the Azure AD authentication request:

https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?prompt=login

Summary

• FusionAuth trusts the session response from Azure AD, so this issue must be resolved at the IdP level.
• Logout must also happen at Azure AD, not just your application.
• Session settings in Azure AD should be configured to ensure proper user switching.
• For shared devices, instruct users not to use "Keep me signed in."

For more details, refer to Azure AD’s session management documentation or configure logout redirects properly within your FusionAuth setup.