Azure AD: Support SSO logout via end-session endpoint redirect

[rak-phillip]

When using Azure AD as the auth provider, logging out only clears the Rancher session. The user's Azure AD session stays active, so clicking "Sign in with Azure AD" immediately re-authenticates without prompting for credentials.

Every other SSO-capable providers in Rancher (OIDC, Keycloak, SAML) support single logout — they redirect the browser to the IdP's end-session endpoint to terminate the IdP session as well. Azure AD supports relying-party-initiated logout via https:///{tenant}/oauth2/v2.0/logout but it's currently is not exercised.

Proposed solution

Add new fields to the Azure AD Auth Provider form to support SSO logout:

• Log out of Rancher and not Azure AD (default)
• Log out of Rancher and Azure AD (included all other applications registered with Azure AD)
• Allow the user to choose one of the above in an additional log out step
• End Session Endpoint: Active when SSO is active

Acceptance criteria

• Azure AD config form exposes ssoLogout, endSessionEndpoint, and logoutAllForced fields with appropriate validation and help text
• When ssoLogout is enabled and a user logs out, the browser is redirected to the configured end-session endpoint
• id_token_hint is included when the R_AZUREAD_ID cookie is present; logout completes without it when absent
• endSessionEndpoint can be configured
• logoutAllForced prevents non-SSO logout when enabled, consistent with other providers
• Unit tests cover the new fields and logout redirect logic
• E2E test covers the happy path (SSO logout redirects correctly)

Additional details

• SSO has been implemented for multiple other auth providers. The exposed fields and expected behavior should be the same as those

[github-actions]

🤖 Issue grooming analysis

This issue is well-groomed and ready for triage. Here is a summary of the analysis:

• ✅ Clear Problem Statement: Clearly describes that Azure AD logout only clears the Rancher session while the IdP session remains active, causing immediate silent re-authentication. The gap compared to other SSO providers (OIDC, Keycloak, SAML) that already support single logout is well articulated.
• ✅ Acceptance Criteria: Six testable criteria are provided — new form fields with validation, SSO logout redirect behavior, id_token_hint handling via the R_AZUREAD_ID cookie, logoutAllForced enforcement consistent with other providers, and both unit and E2E test coverage.
• ✅ Technical Details: Specific field names (ssoLogout, endSessionEndpoint, logoutAllForced), the Azure AD end-session endpoint URL, cookie reference, and cross-references to existing SSO implementations across other providers are all present.
• ✅ Reproducibility (Feature): Clear user flow — when SSO logout is configured, a user logging out of Rancher is redirected to the Azure AD end-session endpoint to also terminate the IdP session.

This analysis was generated automatically based on the repository's grooming checklist.

Generated by Daily Issue Grooming · ◷