+ Start a Discussion
Angel ZAngel Z 

SSO Mobile app logout

Hello,
We have setup SSO with Azure AD. We have enabled "User native browser for user auithentication on iOS".

When a user wants to logs in, a Chatter agreement pops up which the user has to allow.

The problem is with the logout. The same pop up is shown (Chatter Wants to Use salesforce.com to Sign In) and if "Continue" button is clicked - the user is back logged in to Salesforce. The "Deny" button must be clicked in order to be logged out which is confusing.

Has anyone been able to bypass such scenario?
Best Answer chosen by Angel Z
SwethaSwetha (Salesforce Developers) 
The behavior you indicated where it asked the messaging "Chatter wants to use Salesforce.com to sign-in" is part of the My Domain feature to "Use the native browser for user authentication on iOS". This will defer to Safari for the authentication and then you login.

Now if you log out of the app you are successfully logged out, but the app will load up the last Login URL you had in this case your My Domain which will start the process and prompt for that Chatter message again. At this point the app is indeed logged out. If you select the "Continue" again it will take you back to Safari.

The key item here is your testing scenarios. We have no control over the session in Safari view when we defer to Safari. That is locked away from us by Apple. So in your testing scenario if there is still a session that iOS has in Safari that will not ask you for credentials.

The first time is to determine if you need the "Use the native browser for user authentication on iOS" setting from my My Domain level. That is typically used if you have any forms of advanced authentication that our mobile app's webview cannot support (Intune conditional access, or device compliance checks, etc.). During normal user usage they would not be logging out of the app quickly following an initial login so its more likely that Safari view session will have expired.

So our mobile application does indeed logout when you select it, but we cannot control the session that may still exist in the Safari view.

Hope this answers your question. Thank you

All Answers

SwethaSwetha (Salesforce Developers) 
HI Angel,
Is this specific to IOS and not android? Thx

Related: https://help.salesforce.com/s/articleView?id=000357880&type=1
Angel ZAngel Z
Hi Swetha,

Related to only iOS
SwethaSwetha (Salesforce Developers) 
The behavior you indicated where it asked the messaging "Chatter wants to use Salesforce.com to sign-in" is part of the My Domain feature to "Use the native browser for user authentication on iOS". This will defer to Safari for the authentication and then you login.

Now if you log out of the app you are successfully logged out, but the app will load up the last Login URL you had in this case your My Domain which will start the process and prompt for that Chatter message again. At this point the app is indeed logged out. If you select the "Continue" again it will take you back to Safari.

The key item here is your testing scenarios. We have no control over the session in Safari view when we defer to Safari. That is locked away from us by Apple. So in your testing scenario if there is still a session that iOS has in Safari that will not ask you for credentials.

The first time is to determine if you need the "Use the native browser for user authentication on iOS" setting from my My Domain level. That is typically used if you have any forms of advanced authentication that our mobile app's webview cannot support (Intune conditional access, or device compliance checks, etc.). During normal user usage they would not be logging out of the app quickly following an initial login so its more likely that Safari view session will have expired.

So our mobile application does indeed logout when you select it, but we cannot control the session that may still exist in the Safari view.

Hope this answers your question. Thank you
This was selected as the best answer