We are running Plone 6.1 with wcs.samlauth against Azure AD which is working perfectly fine.
For logout, as user would call https://our.site//acl_users/saml/logout
This redirects to Azure and Azure says "Your logged out"...and redirects back to Plone...however the user remains authenticated. The Plone frontend says "You are still logged in as user zope..."
Is there anything missing in the SAML configuration for Plone or on the Azure side?
Solved with a custom logout view clearing the __ac cookie.
@zopyx I'll fix it - Clear __ac plonse session cookie with SAML logout endpoint · Issue #14 · webcloud7/wcs.samlauth · GitHub
Will report back, once it's released
The issue you're encountering is likely due to Plone not clearing the local authentication session after the SAML logout. While Azure AD completes the logout and redirects back, Plone still considers the session active. To resolve this, ensure wcs.samlauth is configured with logout_requests_signed and logout_responses_signed enabled, and check that Azure AD supports and is correctly processing SAML Single Logout (SLO) requests and responses. Additionally, you might need to explicitly call Plone’s session termination (e.g., plone.logout) after SAML logout completes to clear the local session.