This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 34%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESZ%3C/text%3E%3C/svg%3E)
Hello,
We are using a custom policy in Azure B2C with Technical Profiles defined for each of our external IDPs. Log in is working well but the issue is with logout. For POC we using a free Okta developer account. We have it so that B2C is calling the Okta "end_session_endpoint". The call is failing. The problem is this endpoint requires a couple of parameters which from the web debugger I can see that B2C is not sending to Okta. We tested connecting directly to Okta (not using B2C) to verify the logout is working and what the parameters are. The two parameters we need to provide Okta are "id_token_hint" and "post_logout_redirect_uri". Is there a way to configure B2C to pass these two parameters on logout?
Thank you
Steve Zerfas
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Steve Zerfas ,
Thanks for your post! You are correct. Today, AAD B2C does not send an id_token_hint and post_logout_redirect_uri to federated IdPs when calling the IdP's end_session endpoint. There is an open feedback request for this here which you can upvote: https://feedback.azure.com/d365community/idea/637bc78d-cd18-ed11-a81b-6045bd853c94
When working with external identities it is expected behavior to not be logged out of the IDP once you log out of the app you used while signed up. While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their other account entirely.
Since we don't own/control the IDP, signing out of you app through B2C does not mean you will be signed out of the IDP as well.
This needs to be checked with the IDP Okta if they have any feature that will help in this scenario. That said, there are some workarounds in this thread that involve redirecting to the provider and logging out there.
Let me know if this helps. If you provide more details about your scenario I would be happy to bubble this up with the product team. I have also reached out to the product team to see if they can recommend any additional workarounds and will keep you posted about this.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.
Hello @Marilee Turscak-MSFT ,
Thank you for the response and for confirming the functionality is not currently available. I upvoted the feature request that you linked to.
We have had internal debates about logging the user out of the IDP for the reasons you describe. In our case it is difficult because in some environments clients use shared workstations where they just log into the product. What we are going to do for now is recommend if they share workstations, then they need their own unique logins to the workstation which effectively will keep the session separate.
With B2C we were able to verify that it made the call to Okta's "end_session_endpoint" to logout out of the IDP but as mentioned the call will fail without the parameters. We will watch for the added functionality to provide the parameters. With manual testing of Okta's end_session_endpoint we are able to see that call will do exactly what need to do in terms of logging out the user if we could provide the parameters. I fear other external IDPs we need to support will have the same requirement for the parameters. We tested with Okta because they are one of the biggest in the business and need to be able to support them.
Thank you for reaching out internally and any other suggestions you can make, otherwise we will advise customers and watch for the feature to get implemented.
Steve
Hello @Marilee Turscak-MSFT ,
Thank you for the response and for confirming the functionality is not currently available. I upvoted the feature request that you linked to.
We have had internal debates about logging the user out of the IDP for the reasons you describe. In our case it is difficult because in some environments clients use shared workstations where they just log into the product. What we are going to do for now is recommend if they share workstations, then they need their own unique logins to the workstation which effectively will keep the session separate.
With B2C we were able to verify that it made the call to Okta's "end_session_endpoint" to logout out of the IDP but as mentioned the call will fail without the parameters. We will watch for the added functionality to provide the parameters. With manual testing of Okta's end_session_endpoint we are able to see that call will do exactly what need to do in terms of logging out the user if we could provide the parameters. I fear other external IDPs we need to support will have the same requirement for the parameters. We tested with Okta because they are one of the biggest in the business and need to be able to support them.
Thank you for reaching out internally and any other suggestions you can make, otherwise we will advise customers and watch for the feature to get implemented.
Steve