Hi @Steve Zerfas ,
Thanks for your post! You are correct. Today, AAD B2C does not send an id_token_hint and post_logout_redirect_uri to federated IdPs when calling the IdP's end_session endpoint. There is an open feedback request for this here which you can upvote: https://feedback.azure.com/d365community/idea/637bc78d-cd18-ed11-a81b-6045bd853c94
When working with external identities it is expected behavior to not be logged out of the IDP once you log out of the app you used while signed up. While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their other account entirely.
Since we don't own/control the IDP, signing out of you app through B2C does not mean you will be signed out of the IDP as well.
This needs to be checked with the IDP Okta if they have any feature that will help in this scenario. That said, there are some workarounds in this thread that involve redirecting to the provider and logging out there.
Let me know if this helps. If you provide more details about your scenario I would be happy to bubble this up with the product team. I have also reached out to the product team to see if they can recommend any additional workarounds and will keep you posted about this.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.